ASX
Release
4 JUNE 2020
WESTPAC RELEASES FINDINGS INTO AUSTRAC STATEMENT OF CLAIM ISSUES
Westpac today announced the results of its investigation into the Anti-Money Laundering and Counter-
Terrorism Financing (AML/CTF) compliance issues, as well as releasing the Advisory Panel Report into
Board Governance of AML/CTF Obligations and the Promontory Assurance letter on management’s
accountability review.
Westpac Chairman Mr John McFarlane said, “In line with the Board’s commitment at the 2019 AGM, we
are now making public the results of reviews into the Bank’s AML/CTF compliance failings.
“It’s been my experience since joining the Bank that Westpac deeply regrets this matter. Indeed,
recognising the seriousness of the issues raised by AUSTRAC, the former CEO stepped down and the
former Chairman brought forward his retirement.
“We are all committed to fixing these issues so they don’t happen again.”
The failure concerning International Funds Transfer Instructions (IFTIs) non-reporting occurred due to a
mix of technology and human error dating back to 2009.
The failure properly to adhere to AUSTRAC guidance for child exploitation risk in respect of some
products occurred due to deficient financial crime processes, compounded by poor individual
judgements.
We have identified three primary causes of the AML/CTF compliance failures:
• Some areas of AML/CTF risk were not sufficiently understood within Westpac;
• There were unclear end-to-end accountabilities for managing AML/CTF compliance; and
• There was a lack of sufficient AML/CTF expertise and resourcing.
With regard to Board oversight, the Advisory Panel formed a range of views on financial crime related
governance. The Report noted that the way in which the Westpac Board organised its general
governance responsibilities was mainstream and fit for purpose. The Report also noted that, with the
benefit of hindsight, and noting the Board’s escalating focus in the area, directors could have recognised
earlier the systemic nature of some of the financial crime issues Westpac was facing. The Panel also
noted that reporting to the Board on financial crime matters was at times unintentionally incomplete and
inaccurate.
Westpac CEO, Mr Peter King said the management accountability assessment, conducted with external
assistance, looked back over ten years and where fault was identified, appropriate action has been
taken.
“Consequences that have been applied to individuals include significant remuneration impacts and
disciplinary actions. A number of relevant staff had already left the company.
Level 18, 275 Kent Street
Sydney, NSW, 2000
“A range of remuneration consequences were applied to 38 individuals. Consequences applied to prior
year awards, including withheld FY19 short term variable reward, totalled approximately $13.2 million1.
In addition, cancelled FY20 short term variable reward, including for the CEO and Group Executives, is
valued at approximately $6.9 million assuming an outcome of 50% of target opportunity.
“Remuneration and disciplinary actions took into consideration decisions already taken and announced,
the level of direct managerial responsibility or accountability for the compliance failures, and the level of
culpability for failings.
“While the compliance failures were serious, the problems were faults of omission. There was no
evidence of intentional wrongdoing,” Mr King said.
Mr McFarlane said Westpac’s remediation program focused on strengthening all aspects of non-
financial risk management.
“We accept the recommendations of the Advisory Panel report and we are implementing them as part of
the remediation plan, which is already well advanced.
“We have established a new Board Legal, Regulatory & Compliance sub-committee, appointed a deeply
experienced executive to a new Executive position directly responsible for financial crime compliance,
and made a number of other organisational changes.
“We will have no tolerance for controllable negative events. Our transformation program has begun and
will bring deep cultural change,” Mr McFarlane said.
Mr King also acknowledged the need for cultural change within the Bank.
“We recognise we need to change. We completely accept that some important aspects of Westpac’s
financial crime risk culture were immature and reactive, and we failed to build sufficient capacity and
experience in some important areas,” Mr King said.
“We have learned from this and are absolutely committed to making amends for this event.”
Mr McFarlane said Westpac’s investigations had now concluded and Westpac would continue to
engage with AUSTRAC on the legal process, following the submission of its defence and admissions on
15 May 2020.
Attachment 1 – Overview of Westpac’s AML/CTF compliance failures related to AUSTRAC’s Statement
of Claim
Attachment 2 – Advisory Panel Report
Attachment 3 – Promontory Assurance Letter
For further information:
David Lording Andrew Bowden
Group Head of Media Relations Head of Investor Relations
0419 683 411 T. (02) 8253 4008
M. 0438 284 863
This document has been authorised for release by Tim Hartin, Group Company Secretary.
1 This includes the forfeiture of unvested short and long term variable reward for the former CEO (Brian Hartzer) as well as a
range of downward remuneration adjustments, in part or in full, to current and former executives and employees. Equity-based
awards have been valued using the five day volume weighted average price of Westpac shares up to and including the date of
receipt of AUSTRAC’s Statement of Claim on 20 November 2019 ($26.20) applying a 50% discount for long term variable reward
subject to performance conditions.
ATTACHMENT 1: OVERVIEW OF WESTPAC’S AML/CTF
COMPLIANCE FAILURES RELATED TO AUSTRAC’S
STATEMENT OF CLAIM
1.0 BACKGROUND
As a major bank, Westpac has an important role to help AUSTRAC, law enforcement and the
Government fight financial and other serious crime. Westpac must have systems, controls and
processes in place to prevent our services being exploited for financial and other serious
crime. These processes include:
• Assessing and mitigating money laundering and terrorism financing risks;
• Monitoring transactions and conducting customer due diligence to help identify
potential threats;
• Providing AUSTRAC with information about certain financial transactions; and
• Informing AUSTRAC about any suspicious customer activity and cooperating with law
enforcement to support investigations.
Westpac’s systems, controls, processes and resources were not robust enough during the
relevant period to prevent issues in the AUSTRAC Statement of Claim (the AUSTRAC Claim)
from occurring. Westpac accepts full responsibility for its mistakes and has admitted relevant
contraventions as part of the AUSTRAC court process.
2.0 CURRENT STATUS OF AUSTRAC STATEMENT OF CLAIM
Since the proceedings were filed in November 2019, Westpac and AUSTRAC have worked
together constructively to narrow the issues in dispute and, if possible, resolve the matter. To
date, the parties have been unable to reach agreement on all issues and so some aspects of
the dispute are continuing through the Court process. On 15 May 2020, Westpac filed a
Defence to the AUSTRAC Claim which admitted to a substantial majority of the contraventions
alleged by AUSTRAC. These admissions included:
• The non-reporting of IFTIs and associated tracing information failures;
• Record keeping failures;
• Ongoing customer due diligence failures; and
• Failures regarding certain correspondent banking obligations.
While the Defence makes a large number of admissions, a relatively small number of areas
remain to be resolved in the current legal process. No trial date has yet been set.
3.0 EXTERNAL REVIEWS
To identify the causes of compliance failings, determine the appropriate consequences, and to
identify key lessons learned, the Westpac Board commissioned a review by an Advisory Panel
into Westpac’s Board Governance of Anti-Money Laundering / Counter-Terrorism Financing
(AML/CTF) Obligations, an external assurance review of Westpac’s management
accountability investigation, and an external review of Westpac’s financial crime program,
undertaken by Promontory.
3.1 Advisory Panel Review into Board Governance of AML/CTF Obligations at
Westpac
The Advisory Panel of Dr Ziggy Switkowski AO, Dr Kerry Schott AO and Colin Carter AM has
finalised their report into board governance of financial crime compliance.
With regard to Board oversight, the Advisory Panel formed a range of views on financial crime
related governance. The Report noted that the way in which the Westpac Board organised its
general governance responsibilities was mainstream and fit for purpose. The Report also
noted that, with the benefit of hindsight, and noting the Board’s escalating focus in the area,
directors could have recognised earlier the systemic nature of some of the financial crime
issues Westpac was facing. The Panel also noted that reporting to the Board on financial
crime matters was at times unintentionally incomplete and inaccurate.
The Panel made a number of recommendations for improvements to Westpac’s governance
relating to financial crime compliance. Those recommendations include suggestions to
improve end-to-end financial crime risk management processes and establish clearer
accountabilities for AML/CTF compliance, embedding and clarifying the three lines of defence
model’s applicability to financial crime compliance, rebuilding the relationship with AUSTRAC,
monitoring AML/CTF compliance, observing and learning from global best practice and
accelerating Westpac’s broader Culture, Governance and Accountability work.
Westpac has accepted these recommendations and has ensured they are captured in its
remediation program of work.
The Advisory Panel Report is Attachment 2.
3.2 Promontory Assurance review of accountability investigations
Westpac’s management accountability investigation (see Section 7.0) was subject to external
assurance undertaken by Promontory. Promontory’s assurance opinions are set out in their
27 May letter to the Board Financial Crime Committee, a copy of which is at Attachment 3.
4.0 OUTLINE OF WESTPAC’S COMPLIANCE FAILINGS
4.1 Primary causes of compliance failure
Our investigations have formed a central conclusion that Westpac’s AML/CTF risk culture was
immature and reactive. This had the effect of the Bank not giving enough priority to the
identification and management of some important elements of AML/CTF risk. As a
consequence, there were three primary causes of Westpac’s AML/CTF compliance failings
related to the AUSTRAC Statement of Claim that were identified:
• AML/CTF risk was not always well understood across Westpac. Some key parts
of the Bank did not have a consistently clear understanding and appreciation of the
nature of AML/CTF risk and how it should be managed and mitigated. Similarly,
Westpac did not sufficiently appreciate the depth of specialist capabilities required to
manage AML/CTF risk.
• Aspects of accountabilities were not clearly defined and embedded, including
the three lines of defence. The application of the three lines of defence model for
managing risk did not always operate effectively with the management of AML/CTF
risk. Some individuals did not sufficiently understand, at an operational level, where
their responsibilities commenced or ended and as such, end-to-end accountability
was not always clear.
• Insufficient AML/CTF expertise and resources. Westpac’s financial crime control
framework did not have enough employees with sufficient skills, expertise and
experience to effectively manage AML/CTF risk.
4.2 Overview of compliance failures
The following section details the causes of compliance failings relating to some of the relevant
contraventions alleged in the AUSTRAC Claim. Westpac and AUSTRAC are working through
the court process and relevant court documents will contain additional information in each of
these areas. Westpac’s immediate priority is to continue to address the issues and
weaknesses that have been identified and apply appropriate accountability outcomes.
4.2.1 IFTI non-reporting
• Westpac is required to report to AUSTRAC all International Funds Transfer
Instructions (IFTIs) that it receives or sends. Westpac failed to report approximately
19.5 million IFTIs to AUSTRAC over a 6-year period. Westpac has made admissions
that it did not report the relevant IFTIs within the required time period (noting they
have now been reported).
• Westpac intended to comply with its IFTI reporting obligations, but due to technology
failings and human error, approximately 19.5 million IFTIs were not reported within the
required time period. The majority of non-reported IFTIs concern batch instructions
received by Westpac through one product, and were from two global correspondent
banks, making payments to Australian beneficiaries on behalf of clients of the
correspondent banks. The majority of the payments were low value recurring
payments made by foreign government pension funds and corporates, which had a
low risk profile.
• For the large majority of the non-reported IFTIs, failings can be traced back to the IFTI
implementation program which started in 2009, where resource constraints in the
relevant technology team impacted the successful implementation of the project. In
2011/12, there was also a high turnover of staff where a whole team departed to join
another organisation. The loss of continuity and specialist knowledge associated with
these departures contributed to the implementation errors.
• The non-reporting should have been identified and rectified sooner, including through
a post-implementation review of the IFTI implementation project. At the time, there
was no reconciliation process to verify that all necessary IFTI reports were being filed.
4.2.2 Ongoing customer due diligence in relation to financial indicators of potential
child exploitation risk
• Westpac admitted that it did not monitor the 12 customers sufficiently to identify,
mitigate and manage the risk they may engage in behaviours consistent with child
exploitation risk.
• For a period, Westpac did not keep a formal register to capture relevant AUSTRAC
guidance and did not have a robust enough process to ensure that it addressed and
took action in relation to all AUSTRAC guidance. In addition, individual judgements
that were made about how to implement AUSTRAC’s guidance did not fully take into
account all relevant information.
• Westpac also did not have a sufficient process to detect deficiencies in the relevant
detection scenarios that it had in place.
• While Westpac had monitoring processes over its customers prior to the receipt of the
AUSTRAC Claim and had filed suspicious matter reports with AUSTRAC for each of
the 12 customers (either in response to alerts from the detection scenarios in place at
the time or from other processes and reviews), Westpac should have implemented
more robust monitoring of their transactions for certain types of behaviours earlier
than it did.
4.2.3 Correspondent banking due diligence
• Westpac has made admissions that some of its processes and procedures fell short
of the legal standard required.
• While Westpac carried out regular preliminary risk assessments and due diligence
assessments of the correspondent banks identified in the AUSTRAC Claim, the
assessments:
o did not sufficiently assess some of the AML/CTF risks posed by those banks;
and
o did not sufficiently assess certain matters relating to the relevant correspondent
banks that were required to be regularly assessed under the AML/CTF Rules.
• These issues were caused by limitations in the design of Westpac's processes and
procedures, and in a small number of cases, by a failure to follow our established
processes and procedures. In addition, reliance was placed on a particular
operational team to perform functions that were critical to the due diligence process
when that role would have been better suited to those with particular financial crime
expertise.
• Aspects of the assurance obligations for all three lines of defence were not clear
enough. Westpac should have had a more robust assurance process to detect the
deficiencies.
5.0 REMEDIATION
5.1 Specific actions to improve AML/CTF compliance
Westpac has implemented an extensive program of remediation and investment to address
the issues and areas of compliance failure identified through its investigations. These include
the following:
5.1.1 Lifting the focus on Westpac’s AML/CTF obligations
• A Board Legal, Regulatory & Compliance sub-committee has been established,
responsible for overseeing financial crime, regulatory and legal matters, customer
remediation, compliance and conduct management.
• A new Group Executive, Financial Crime, Compliance and Conduct has been
appointed. This role reports directly to the CEO and reflects Westpac’s commitment to
increase our focus on financial crime.
• A significant additional investment in financial crime processes, systems and
expertise across the Bank since 2018.
• A Group-wide AML/CTF training program and Board workshops.
• Promontory is undertaking a further external assurance review of Westpac’s financial
crime program and Westpac will take on board recommendations from the review.
5.1.2 Embedding clear accountabilities for managing AML/CTF obligations and risk
• Westpac’s money-laundering reporting officer (MLRO) is now a new General Manager
position reporting to the new Group Executive, Financial Crime, Compliance and
Conduct. Westpac’s General Manager, Financial Crime, has international expertise in
financial crime. The General Manager role has direct accountability and responsibility
for management of AUSTRAC regulatory engagements and actions.
• Increased focus on Westpac’s end-to-end management of financial crime, including
changes to financial crime governance to clearly specify individual accountabilities and
embed monitoring processes, as well as better defining the three lines of defence
model to ensure clarity of roles and responsibilities.
5.1.3 Increasing expertise and resourcing to manage some aspects of AML/CTF risk
• Westpac continues to significantly increase its financial crime resources, adding
approximately 200 FTEs across Financial Crime Risk, Financial Crime Program
Delivery, Group Audit and Financial Crime Operations, including key senior overseas
hires into the Financial Crime Leadership Team.
• Specialist external and independent input into Westpac’s standard setting and
assurance processes.
5.2 Process changes relating to Westpac’s management of AML/CTF compliance
There has been significant change actioned within the financial crime program to improve
AML/CTF compliance processes, including the following:
• Completed a new enterprise risk assessment to ensure risks and control effectiveness
are clearly understood and managed properly. Rolled out an improved risk
assessment methodology for products and channels;
• Revised regulatory reporting standards and processes, with all outstanding IFTI
reports referenced in the Statement of Claim filed and changes made to assurance
processes to monitor completeness of regulatory reporting;
• Implemented an end-to-end process to interpret, embed and action AUSTRAC
AML/CTF guidance. Delivered new transaction monitoring rules and rule
enhancements, including rules and monitoring to address AUSTRAC guidance;
• Implemented enhanced monitoring over correspondent bank transactions and
updated new correspondent bank processes to better manage risk; and
• Established new control testing capabilities in financial crime to supplement
assurance and audit.
5.3 Culture, Governance and Accountability Re-Assessment
In 2018, Westpac completed a Culture, Governance and Accountability (CGA) self-
assessment examining the Group’s risk culture, governance and accountability frameworks
and practices. This review identified a number of shortcomings in the way Westpac managed
non-financial risk, and changes are underway to address these findings. Following the
AUSTRAC Claim, Westpac is conducting a reassessment of the CGA self-assessment which
will also seek to ensure that any relevant lessons from the AUSTRAC matter and other recent
developments since the 2018 Self-Assessment are taken into account and addressed in that
broader program. Westpac will publish the results of its reassessment and its remediation
plan, which will be subject to assurance by Promontory.
5.4 Broader organisational changes that will enhance Group risk and compliance
outcomes
Under a new Chairman and CEO, Westpac has commenced a series of organisational
changes that are, in part, designed to improve Westpac’s management of non-financial risk.
These include:
• Chairman, John McFarlane announced a Group-wide end-to-end transformation and
culture change program. He also announced a Group-wide review of senior
management remuneration. The review will look at options for a remuneration
structure that places greater emphasis on rewarding long-term achievement and a
continued emphasis on addressing non-financial risk; and
• CEO, Peter King announced a Group-wide restructure to move the organisation to a
more definitive Line of Business operating model.
These changes are in addition to the improvements to the management of non-financial risk
initiated by the Board and management over recent years.
6.0 PREVIOUSLY ANNOUNCED BOARD CHANGES
Following the AUSTRAC Statement of Claim and recognising the seriousness of the issue:
• Former CEO and Managing Director, Brian Hartzer, stepped down from his role and
the Board determined to forfeit all of his unvested equity;
• The Chairman, Lindsay Maxsted, brought forward his retirement (from December to
April 2020); and
• Non-Executive Director and Chairman of the Board Risk & Compliance Committee,
Ewen Crouch, decided not to seek re-election to the Board at the 2019 Westpac
AGM.
7.0 MANAGEMENT ACCOUNTABILITY OUTCOMES
Westpac assessed management accountability and responsibility over a ten year period.
While the issues did not arise from intentional wrong-doing or misconduct at any level, the fact
remains that compliance failures within Westpac’s Financial Crime program occurred and it
was therefore appropriate that consequences be applied.
In April 2020, the Board determined the CEO and the Group Executives will receive no FY20
Short Term Variable Reward (STVR) to recognise the importance of collective executive
accountability.
Further remuneration and disciplinary actions arising from the review took into consideration
decisions already taken and announced, the level of direct managerial responsibility or
accountability for the compliance failure, and the level of culpability for failings.
In addition to previously announced changes, Westpac has reviewed the accountabilities for
relevant current and former Westpac employees.
In summary, remuneration consequences were applied across 38 executive, managerial and
other employees via reductions (either in part or in full) to:
• FY19 STVR which was put on hold pending the result of the review;
• Unvested equity awards granted in prior years, for example, the forfeiture of awards
that remain on foot under Westpac’s incentive plans; and
• FY20 STVR which will be applied at the end of the financial year.
Remuneration consequences applied to prior year awards, including withheld FY19 short term
variable reward, totalled approximately $13.2 million2. In addition, FY20 short term variable
reward, which the Board has determined will be zero for the CEO and Group Executives, is
valued at approximately $6.9 million assuming an outcome of 50% of target opportunity.
The AUSTRAC issues took place over a number of years, and a number of individuals covered
by the investigation have already left the employment of Westpac. Accordingly, for those
individuals, while remuneration and disciplinary consequences would have been applied in
some cases, these are not available.
Promontory’s Assurance letter is Attachment 3.
8.0 NEXT STEPS
The completion of Westpac’s formal investigations and the external work undertaken by the
Advisory Panel and Promontory concludes Westpac’s review of its AML/CTF compliance
failure related to the AUSTRAC Claim.
Ongoing work and investment to strengthen Westpac’s approach to financial crime is
continuing. This includes ongoing external review from Promontory on Westpac’s financial
crime program.
Further specific details of the matters contained within the AUSTRAC Claim may be outlined
through the ongoing court process.
Westpac is committed to continuing to engage constructively with AUSTRAC to seek to
resolve the matter if possible and, if not, to ensure the minimum number of issues remain to be
determined by the Court.
2 This includes the forfeiture of unvested short and long term variable reward for the former CEO (Brian Hartzer) as well as a
range of downward remuneration adjustments, in part or in full, to current and former executives and employees. Equity-based
awards have been valued using the five day volume weighted average price of Westpac shares up to and including the date of
receipt of AUSTRAC’s Statement of Claim on 20 November 2019 ($26.20) applying a 50% discount for long term variable reward
subject to performance conditions.
May 8, 2020
Mr Peter Nash
Chairman of the Westpac Board Financial Crime Committee
Westpac Banking Corporation
Dear Peter,
The Advisory Panel Review – Board Governance of AML/CTF Obligations at Westpac
In December 2019, the Westpac Board invited us to form an Advisory Panel to assess the
ways in which the Board has handled the matters raised in the AUSTRAC allegations.
The purpose of the Panel’s Review, contained in the Terms of Reference, was to examine
the processes whereby the Westpac Board has managed its AML/CTF obligations and also
to assess the level of diligence that had been exercised by the Board throughout the years
covered by the claims.
The Panel has now completed its assessment and we are pleased to provide you with the
Final Report.
We have appreciated the support of your staff as we have carried out our work but
emphasise that we take full ownership of the views that we have reached.
Yours sincerely,
Colin Carter AM Kerry Schott AO Ziggy Switkowski AO
REPORT COVER NAME MAY 2020 1
BOARD GOVERNANCE OF AML/CTF
OBLIGATIONS AT WESTPAC:
THE ADVISORY PANEL REVIEW
8 May 2020
This report is strictly confidential. It represents the independent views of the
Advisory Panel.
Advisory Panel Report
THE ADVISORY PANEL REPORT MAY 2020 2
Table of Contents
1. Executive Summary _________________________________________________ 3
2. Context ___________________________________________________________ 7
2.1 Rapid Technology Changes __________________________________________________ 7
2.2 A Decade of Increased Focus upon Financial Crime _______________________________ 7
2.3 An Increasing Expectation to Meet ‘Social Licence’ Obligations ______________________ 8
2.4 Increasing Expectation of What Boards Can and Should Do _________________________ 9
3. Summary of the AUSTRAC Allegations ________________________________ 10
4. The Structure of Board Governance __________________________________ 13
4.1 Board Structures and Composition ____________________________________________ 13
4.2 Risk Management at Westpac _______________________________________________ 14
4.3 The Increasing Focus on Financial Crime ______________________________________ 15
5. Were Board Processes Adequate? ___________________________________ 17
6. Was the Diligence by Directors Adequate? _____________________________ 21
7. Next Steps _______________________________________________________ 25
Appendices _________________________________________________________ 27
Appendix A: Advisory Panel Membership __________________________________________ 27
Appendix B: AUSTRAC Allegations in Detail _______________________________________ 29
Appendix C: Terms of Reference ________________________________________________ 32
Appendix D: Review Process ___________________________________________________ 34
Appendix E: Risk Taxonomy ____________________________________________________ 36
1. Executive Summary
THE ADVISORY PANEL REPORT MAY 2020 3
This report is the Advisory Panel’s
response to the questions posed to it by
the Directors of Westpac Banking
Corporation (Westpac) in regard to the
AUSTRAC allegations made against
Westpac on 20 November 2019. It deals
with how the Westpac Board has handled
its obligations to comply with the Anti
Money Laundering and Counter Terrorism
Financing Act (AML/CTF Act).
Overseeing financial crime risk is an
important but small part of the Board’s
overall responsibilities. The Report
focusses on this issue specifically and, for
a wider consideration of board
governance related matters, the Panel
recommends that readers consult the CBA
Prudential Enquiry (May 2018), the
Westpac Culture, Governance and
Accountability Self-Assessment
(November 2018), the ASIC Corporate
Governance Task Force Report (October
2019) and the APRA Banking Executive
Accountability Regime (February 2018).
The Statement of Claim alleged serious
contraventions by Westpac of the
AML/CTF Act covering the period 2013 to
2019. The allegations fall into four broad
categories - inadequate reporting of
millions of international funds transfer
instructions, a failure to carry out
adequate risk assessments of
correspondent banks, a failure to adopt
and maintain an AML/CTF program, and a
failure to conduct adequate ongoing due
diligence and enhanced customer due
diligence. AUSTRAC also alleges
“inadequate oversight” by the Westpac
Board. More detail about these
allegations is at Appendix B.
In response, the Westpac Board initiated
several reviews, including this by the
Advisory Panel. Our task was not to
interrogate specific AUSTRAC allegations
but rather to answer two questions:
1. Were the formal Board processes,
including information flows, adequate to
ensure informed oversight of
compliance with the requirements of
the AML/CTF Act?
2. Was the level of diligence exercised by
Directors within these processes
appropriate?
The Advisory Panel’s Terms of Reference
are included in Appendix C. Over a four-
month period, Panel members have met
with current and a number of former Board
members and relevant senior executives.
We have followed a process described in
Appendix D.
The time period that the allegations relate
to (2013 - 2019) was a period in which a
number of relevant trends were evident.
These included rapid changes in
technology in the financial services sector,
an increasing focus on financial crime, an
increased expectation that all companies
had a ‘social licence’ obligation to meet,
and increasing expectations about what
boards can and should do. This context is
pertinent when considering issues of
Board process and diligence.
The issues examined required a look back
over nearly ten years. The ignition event
for the International Funds Transfer
Instructions (IFTIs) breaches1 occurred in
2010 and the problem persisted for some
years until self-reported by Westpac. A
relatively small IT project involving a
software upgrade and complex plumbing
to connect to other systems was not
completed satisfactorily and resulted in
regulatory reporting deficiencies, which
the Bank’s control and reconciliation
processes failed to detect for some years.
1 In this instance, a breach is the non-reporting of an IFTI. Based on suspicious matter reporting and the composition of
payment originators, IFTIs appear to overwhelmingly relate to legitimate and uncontroversial transactions - perhaps
99.95% or more in the case of the 23 million IFTIs in question.
1. Executive Summary (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 4
Following the self-reporting of breaches by
Westpac in August 2018, AUSTRAC
noted its concern about the control
environment at Westpac and substantially
broadened its enquiries, which resulted in
the Statement of Claim.
Our task is to make judgements about the
actions of the Board with the (substantial)
benefit of hindsight.
First, were the formal Board processes,
including information flows, adequate
to ensure informed oversight of
compliance with the requirements of
the AML/CTF Act?
The Board of Westpac, its Committees
and composition, meeting frequency,
participation of members and relevance of
the agenda are all as one would expect in
a large listed company and overall
governance at this level is good.
However, financial crime was a relatively
small item within a very crowded Risk and
Compliance agenda until 2017. This is
likely to have been the case across the
financial sector in Australia given the
domestic focus of our banks, relative
success in negotiating the Global
Financial Crisis, the movement of
executives and sharing of experiences
between companies, which ensure
broadly similar processes and approaches
across the sector – an observation
consistent with the ASIC review.
It was in the monitoring of financial crime
risk management, and related controls,
that shortcomings are evident, particularly
early in the years under review. There
seem to be a number of reasons for this.
First, although reporting was regular, the
‘voice of financial crime risk’ was not loud
enough, nor were the concerns that the
regulator might have expressed. In a
Group environment congested by
extensive reporting and information flows,
financial crime risk did not emerge with
clarity above the background noise and its
risk was not properly appreciated and
hence given the priority it deserved until
about 2017.
The Board Risk and Compliance
Committee (BRCC) agenda was large with
typically about 35 - 40 agenda items and
also around 40 meeting participants
(including guest presenters and subject
matter experts for specific items), which
made engagement with every issue
difficult. However, the evidence suggests
the BRCC was conscientious and hard
working. At the Board Risk and
Compliance Committee, the quarterly
report on Financial Crime was presented
and this included inter alia reports on the
outcomes of assessments by AUSTRAC
from time to time.
Second, there were weaknesses in
change management, including business
processes and execution, that allowed a
non-compliant AML/CTF environment to
develop, and poor control and monitoring
processes permitted the situation to
continue for seven years or more. The
regulatory environment moved faster than
Westpac’s ability or willingness to respond
with its management systems, data
analytic resources and processes.
Finally, while the information flows to the
Board and its Committees were adequate,
the content of that information was not. It
was sometimes misleading or information
was omitted. Matters that were not known
by management could not be provided.
When this occurs, it is a huge problem for
any board.
We found no evidence of executives not
reporting material matters they knew to
the Board. Unsatisfactory risk
assessments – being ‘out of appetite’ -
were regularly reported to the Board.
When problems were uncovered, they
1. Executive Summary (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 5
were quickly reported to senior
management and the Board and, where
appropriate, to the regulator.
Importantly, in light of the community view
of banks since the Hayne Royal
Commission, we also find no evidence
that greed, self-interest, or remuneration
incentives played any obvious part in
Westpac’s approach to its AML/CTF
obligations – even in those areas of
underperformance. Westpac people are
impressive in their individual and collective
drive to ‘do the right thing’. There was
genuine and widespread dismay over the
child exploitation allegations.
Overall, this saga reveals that major sins
were ones of omission and not of
commission. AUSTRAC’s allegations
against the Bank include matters that
were unknown at the time to the Bank’s
leadership. The failings – such as non-
reported IFTIs or inadequate due diligence
on correspondent banks and particular
customers – occurred deep in the
organisation and it is not reasonable to
expect that a board should find these out.
The Board relies on information flows from
management and it was the content of
those flows that was poor. Information
was (unintentionally) misleading and
sometimes omitted.
The second question was whether the
level of diligence exercised by
Directors within these processes was
appropriate?
Our assessment is that, while not
satisfactorily focussed before 2017 and
slow off the mark, the Board’s response
appears to have been appropriate after
2017, though reaction times remained
slow.
In the earlier years under review, it
appears that the Board and the Board
Risk and Compliance Committee, were
slow to recognise global trends in financial
crime and increased enforcement activity
in AML/CTF. The Bank’s executive
leadership and financial crime teams were
light on relevant international experience –
an undervalued competence – and
specialist resources devoted to financial
crime were insufficient.
The Board and management allowed out-
of-risk-appetite situations to persist for
long periods. The Three Lines of Defence
framework had shallow roots in the
financial crime risk area. The assumption
by the Board was that relevant processes
were reinforced by the Three Lines of
Defence and normal assurance tests.
This assumption proved to be incorrect.
And the Board Risk and Compliance
Committee, while overseeing Risk across
the Group, probably could have picked
these things up.
The reaction by Directors to recurring
reports of red flagged risk actions in
AML/CTF was not sufficiently urgent. A
gap developed between Board
engagement with AML/CTF obligations
and that which was expected by
AUSTRAC.
There is also no evidence that the
Westpac Board suffered from a lack of
readiness to ask relevant questions but
sometimes let lagging improvement and
risk mitigation efforts continue
unchallenged for too long.
Leading up to early 2017 and beyond,
there has been considerably increased
engagement by the Board. A Financial
Crime Strategic Plan was tabled with the
Board Risk and Compliance Committee in
March 2019 after extensive work in 2018
leading to the development of a Financial
Crime Program as an aggregate vehicle
for remediation, governance and
accountability plans and activities for
financial crime matters.
1. Executive Summary (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 6
A training workshop was held for Board
members on financial crime and there was
a significant uplift in the resources
deployed. New executive and Board
appointments have brought in relevant
international and domain expertise.
Hundreds of additional staff have also
been engaged. Management of non-
financial risk was embedded in Westpac’s
senior management remuneration
scorecard. Executive roles overseeing
non-financial risk were upgraded in the
Bank’s organisational structure.
The key role of the Board is to provide and
approve a framework for management
and staff to manage their AML/CTF risks.
Early in the period, the program to do this
was immature and inadequate but during
2018 and 2019 the Board and the Board
Risk and Compliance Committee gave
considerable attention to the matter and
the latest Program was approved in March
2019.
Shortcomings in the financial crime risk
area do not necessarily indicate a lax risk
management culture at large in the Bank.
Our view is that Board and management
oversight of financial risk appears strong
and robust. Building the same rigour into
non-financial risk management, including
financial crime risk management, will be a
much easier task than if the ‘risk culture’
throughout Westpac was deficient.
Early shortcomings aside, there was a
noticeable shift in the Bank’s response to
financial crime issues from around 2017
onwards. The documentary record shows
a serious level of Board engagement with
AML/CTF issues from that time and the
Advisory Panel is of the view that Board
diligence after 2017 was reasonable.
2. Context
THE ADVISORY PANEL REPORT MAY 2020 7
In forming judgements about how the
Westpac Board dealt with these matters it
is important to understand the
environment within which decisions were
being made and priorities set.
The allegations by AUSTRAC against
Westpac occurred within the context of
four evident trends:
• Rapid industry change in technology
and data analytics capability;
• Increasing focus on financial crime by
regulators around the world;
• Increased community expectation that
companies have serious obligations of
a ‘social licence’ kind; and
• Increasing expectations about what
boards can and should do.
All four trends are important in considering
board governance and accountability at
Westpac in the years relevant to the
AUSTRAC allegations.

2.1 Rapid Technology Changes
The business of banks is no longer just
about collecting deposits and lending to
home buyers and commercial entities at a
margin which provides a fair return, if it
ever was, but also to accumulate, store
and monitor information on every
transaction and, when required by law,
pass onto regulators and police for their
scrutiny in search for evidence of any
criminality.
Digitisation and the internet have greatly
facilitated real time transactions, record
keeping and innovative financial
processes, all of which benefit customers,
while introducing new risk classes around
cyber security and financial crime.
Heavy continuing investments in IT
infrastructure are required. These put
upward pressure on costs and downward
pressure on margins.
Companies have decisions to make in
striking the right balance. A subsidiary
question arising from this review is
whether the Westpac technology
platforms are best practice and what part
they played in Westpac’s capacity to deal
with AML/CTF obligations?
2.2 A Decade of Increased Focus
upon Financial Crime
In the aftermath of 9/11 (2001)
governments and regulators stepped up
their surveillance of money flows focusing
upon financing of terrorism, but a decade
later their work had expanded to cover
financial crimes such as money
laundering, drug trafficking, channels
to/through sanctioned regimes, fraud and
corrupt practices, and tax evasion.
Global banks were impacted earliest;
Australian banks detected the shifts and
responded but only after an interval of
some years. The largely domestic profile
of the major Australian retail banks and
the apparent focus of AUSTRAC on tax
evasion, welfare fraud, terrorism and
organised crime meant that other
AML/CTF issues were less likely to be on
their radar than was the case overseas.
Overseas banks, partly because of their
greater struggles during the Global
Financial Crisis (GFC, 2007- 09), were
forced to recognise and address
shortcomings in their management of non-
financial risks much earlier. While their
focus was on customer product and
service compliance matters, it forced more
rapid improvements in non-financial risk
management than in Australia at the time.
Australian banks fared relatively well
during the GFC, being well capitalised,
2. Context (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 8
and were well regarded for their
management of financial risk. Regulators
also interpreted the Australian experience
as reflecting on their own adequate
oversight of the system.
AML/CTF in Australia became an
observable component of a larger risk
management agenda around 2010, some
years after global banks. Since then the
enforcement of financial crime legislation
has become much more important globally
and more robust.
There has been high profile litigation in the
US, UK and in Europe. This is also true in
Australia where enforcement activities by
AUSTRAC have become more serious in
recent years with enforcement actions
against Tabcorp in 2015, resulting in the
largest civil penalty ever to that time, and
CBA in 2017.
The CBA penalties were a big wake up
call for the financial services industry.
Today, more than previously, banks
understand that they must maintain an
appropriate AML/CTF program and
conduct sophisticated analyses of their
transactions and customers to help detect
criminal activity.
2.3 An Increasing Expectation to
Meet ‘Social Licence’ Obligations
In the decade bookended by the GFC
(2007-09) and the Hayne Royal
Commission (2018-19), perceptions of the
financial services industry in general, and
banks in particular, changed considerably.
Until recently, the main metrics of success
for a major listed company centred on
increasing dividends and share price
appreciation. And in this respect,
Westpac has been a successful business.
Important processes, such as the
oversight of financial risk, were mostly fit
for that purpose, well documented and
managed.
However, the ‘purpose’ of an institution
has been redefined, and companies are
now recognising their responsibilities are
to a broader set of stakeholders than just
simply shareholders and extend to
employees, community, customers,
suppliers and regulators.
Evidence that the role of boards now
typically includes much more than a focus
on shareholder returns is found in
Westpac’s Board Charter, which includes
meeting non-financial objectives
associated with maintaining a ‘social
licence’.
Furthermore, the recent Hayne Royal
Commission highlighted instances where
Australian banks had treated certain
customers poorly and indulged in
practices that were at times unlawful and
certainly unethical. The Royal
Commission left much of the community
dissatisfied with the conduct of banks and
the AUSTRAC allegations have fed into
this.
One inference was that much of this
behaviour was judged to be motivated by
greed and supported by the way bank
executives were remunerated. As a
result, community attitudes towards banks
and their CEOs and senior executives
continued to harden. And regulators, also
criticised in the Royal Commission,
became much more resolved.
In large retail banks like Westpac this
wider role for a board is, in part, enforced
through a myriad of legal and regulatory
requirements which have expanded over
time. Together, the expanded
expectations of the board, and added
legal and regulatory requirements, mean
that a bank’s behaviour is judged now
against more exacting and diverse
standards than that which existed a
decade or more ago.
2. Context (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 9
2.4 Increasing Expectation of
What Boards Can and Should Do
Assessing whether a board has done well
or poorly is substantially determined by
views about what boards can and cannot
be expected to do. This is a something of
an ‘elephant in the room’ issue. It is rarely
discussed but is central to our
considerations.
And here we see society’s steadily
increasing expectations, which are not
necessarily well founded, on what boards
are set up to achieve.
Non-executive Board members are
intentionally, and importantly, not part of
management. Current governance rules
require that Non-Executive Directors be
part time and independent which
effectively precludes persons with prior
experience of the company in question
from being a member of the board.
As at December 2019, Westpac had nine
Non-Executive Directors plus the
CEO/Managing Director, which is quite
typical of large companies. If each Non-
Executive Director spends between one
and two days per week on the job, that
equates to a ‘full-time equivalent’ of only
around three Directors. The statement of
the duties of a company director are large
and growing but with such limited capacity
boards will always have to decide which
issues are to have priority. They cannot
do everything.
Discussions about the responsibilities of
board members rarely touch on what is
realistically feasible for them to achieve.
In risk management, are they an
additional line of defence conducting
detailed diligence; or rather a high level
overseer of risk management strategy and
policy and a high level monitor of risk
management competence and
effectiveness? To what extent can boards
be expected to pick up major mistakes
deep inside their company?
An important issue that comes out of our
review is to ask how boards might better
prioritise their work in order to lessen the
risks of serious oversights such as those
alleged by AUSTRAC.
3. Summary of the AUSTRAC Allegations
THE ADVISORY PANEL REPORT MAY 2020 10
AUSTRAC, the financial crime regulator in
Australia, was established in 1988 under
the Financial Transaction Reports Act
1988 and continued with more emphasis
under the Anti-Money Laundering and
Counter Terrorism Financing Act 2006.
As we have noted local enforcement
activities by AUSTRAC have become
more serious in recent years with
enforcement actions against Tabcorp in
2015 and CBA in 2017. Both these cases
resulted in very large civil penalties of $45
million and $700 million respectively.
The Statement of Claim made by
AUSTRAC against Westpac was lodged in
the Federal Court on 20 November 2019.
The allegations all relate to contraventions
of the AML/CTF Act and cover a number
of breaches. The allegations span the
period 2013 to 2019 and attracted
significant media scrutiny and very
negative public reaction, including from
politicians. AUSTRAC also alleges that
there was “indifference” by Westpac
senior management and “inadequate
oversight” by the Board.
Following the AUSTRAC allegations,
APRA and ASIC have now launched
investigations and independently a
number of class actions are underway.
APRA is examining whether Westpac
breached the Banking Executive
Accountability Regime introduced in 2018;
and ASIC is investigating whether
continuous disclosure breaches occurred
during a capital raising earlier in 2019.
The allegations that AUSTRAC made
against Westpac fall into several broad
categories:
• Inadequate reporting of millions of
international funds transfer
instructions;
• Failure to carry out risk assessments
of ‘correspondent banks’;
• Failure to adopt and maintain an ‘anti-
money laundering, counter terrorism
financing and other serious crimes
program’; and
• Failure to conduct adequate ongoing
due diligence and enhanced customer
due diligence.
The first allegation is made up of a
number of failings and is a straightforward
compliance issue. A large number of
International Funds Transfer Instructions
(IFTIs) to AUSTRAC were not reported,
did not provide all the required details; and
in some cases provided no details at all
about the instructions within the time
allowed. This non-compliance is alleged
to have occurred over many years from
2013 to 2019. Information about the
payer or the origin of the transferred
money was sometimes incomplete.
Furthermore, some records of fund
transfers were not retained by Westpac for
the required seven-year period.
The second category of allegations
asserts inadequate risk assessments on
some ‘correspondent banking’
relationships - arrangements made with
other banks to provide payments (and
other services) for those correspondent
banks and their customers. Westpac had
correspondent banking relationships with
sixteen foreign banks and these
international relationships are considered
to involve greater AML/CTF risks because
they encompass cross border
transactions, different jurisdictional risks,
and some limits to the transparency of the
identity of the customer and the source of
funds. Some assessments had been
done by Westpac of its correspondent
banks but AUSTRAC alleges there were
3. Summary of the AUSTRAC Allegations (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 11
shortcomings in these assessments that
led to Westpac contravening the Act.
An anti-money laundering, counter
terrorism financing and other serious
crimes program was allegedly not adopted
and maintained in an adequate manner.
The general Part A part of this program is
to identify, mitigate and manage the risk of
getting involved in, or facilitating money
laundering, financing terrorism or other
serious financial crime. AUSTRAC
alleged that shortcomings in the program
led to a failure to identify, mitigate and
manage such risks. In particular,
AUSTRAC alleged that the general part of
the program (Part A) did not comply with
Rules under the Act.
Finally, in respect of ‘KYC - knowing your
customer’, AUSTRAC claims that
Westpac’s failure to adequately conduct
ongoing due diligence and enhanced
customer due diligence meant that activity
indicating possible child sexual
exploitation was not detected as
effectively as it might have been. Due
diligence for this type of crime is
conducted in part by analysis and
investigations using typologies that specify
what particular patterns criminal activity
exhibits and searching large data bases to
find such examples. For child sexual
exploitation the attributes in the typologies
include frequent low value payments to
South East Asian countries, sometimes
accompanied by travel to those
destinations and sometimes by knowledge
of previous crime. Of course frequent low
value payments can also encompass
family remittances from migrant workers,
pension payments, and other ‘innocent’
transactions so the analysis is just a first
step in the detection process. It was this
type of due diligence that AUSTRAC
alleges was inadequately conducted by
2 Customer data as at 30 September 2019: Westpac
Group’s 2019 Full Year Financial Results Presentation
and Investor Discussion Pack.
Westpac. The twelve of Westpac’s
approximately 14 million customers2 who
were alleged to have made payments to
beneficiaries, principally in the Philippines,
were monitored by Westpac and
suspicious matter reports had been
lodged. However, AUSTRAC alleges that
had due diligence been appropriate
detection would have occurred sooner.
These are serious allegations. The first
allegation is a ‘black-and-white’
compliance issue. Certain transactions
must be reported and records kept. If this
is not done the regulator does not
necessarily have the data needed to track
down serious financial crimes. AUSTRAC
and other financial crime regulators
globally rely on this information. However,
it is important to note that this allegation
concerns the non-reporting of transactions
and not their legality. The IFTIs appear to
overwhelmingly relate to legitimate and
uncontroversial transactions - perhaps
99.95% or more in the case of the 23
million IFTIs in question.
The second allegation draws attention to
the fact that relationships with other banks
(or ‘correspondent banks’) opens
opportunities for financial crime if those
banks are not also conducting their own
affairs in an appropriate and proper
manner. This matter must be checked to
maintain integrity in the whole system.
The third allegation that Westpac does not
have an adequate program to mitigate and
manage serious financial crime is
particularly serious. This is a basic
requirement for a bank to conduct its
operations.
Finally the allegation that adequate
ongoing due diligence and enhanced
customer due diligence was not
conducted means criminals can use the
3. Summary of the AUSTRAC Allegations (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 12
banking system for criminal activity, and in
this alleged case, patterns of transactions
on the accounts of twelve customers were
indicative of child exploitation risks and
while reported as suspicious matters this
detection was allegedly not as timely as it
should have been.
The complete Statement of Claim is
available on AUSTRAC’s website at
https://www.austrac.gov.au/
4. The Structure of Board Governance
THE ADVISORY PANEL REPORT MAY 2020 13
The way in which the Westpac Board has
organised its governance responsibilities
is quite typical of large corporations and of
large banks – and this includes the ways
in which the Westpac Board has
organised its oversight of risks, both
financial and non-financial.
The main challenge facing the Board –
and indeed of all large banks and major
corporations – is how to cover the large
scope of matters that have to be
addressed.
4.1 Board Structures and
Composition
The Board and Board Committee structure
at Westpac is similar to that of most large
companies in Australia. The Westpac
Board in June 2019 was comprised of ten
independent Non-Executive Directors and
the Chief Executive Officer. Of the ten
independent Non-Executive Directors, four
were women and six were men. The
Board typically meets eleven times each
year.
The skills and expertise among the Non-
Executive Directors appear well balanced
and considered. In mid-2019 there were
four with senior experience in financial
services along with the expertise of the
CEO. Two of these Directors had a
background in a large retail bank, one in
investment banking, and one in financial
services. The other Non-Executive
Directors were experienced business
executives. Two, including the Chairman,
had professional accounting backgrounds
and advised and worked in the corporate
sector; one Director was a very
experienced corporate lawyer; and the
other three were experienced in digital
transformation, communications and
technology more broadly.
Given the ‘big data’ and digital
developments that are ongoing in banking,
the relatively recent appointments of
Directors with expertise in these areas
makes sense. The Board also has some
regulatory experience with one Director
having served on a government financial
system inquiry and another on an
international body concerning international
finance and regulation.
The immediate past Chairman of the
Board recently retired early (following the
AUSTRAC allegations) and he was the
longest serving Director, having been on
the Board for 12 years from 2008 to 2020,
and Chairman for eight years since 2011.
The four next longest serving Directors
have been on the Board for four to six
years. The remaining five Directors have
been in their positions for about one to
three years with the two latest
appointments being in 2019.
No current Director was a Board member
at the start of the period covered by
AUSTRAC’s allegations. By 2020, the
tenure of no current Board member
extended back beyond June 2013, other
than for Lindsay Maxsted who had been
Chairman since December 2011. Board
member turnover, at least until November
2019, has been unremarkable and well
planned.
Board Committees include separate
committees for each of Audit, Risk and
Compliance, Nominations, Remuneration,
and Technology. This is a familiar
committee structure for an Australian
company of this size though the creation
of a Board Technology Committee
acknowledges the transformation
occurring in financial services. In
response to the recent AUSTRAC
Statement of Claim, the Board has also
established a Board Financial Crime
Committee.
4. The Structure of Board Governance (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 14
The Board Risk and Compliance
Committee meets five times per year and
all Directors are members of this
Committee. This Committee was chaired
by a Director with a corporate law
background and extensive business
experience. He did not seek re-election to
the Board following the AUSTRAC
allegations. Another senior Director with
retail banking experience has been
appointed as BRCC Chair.
Westpac established its Board Risk and
Compliance Committee well before 2008
when APRA suggested that banks
consider establishing Risk Committees. It
was not until 2019 that APRA made Risk
Committees mandatory for banks and set
out a number of procedures for their
operation, all of which Westpac has
complied with for many years.
During this period, the Board Audit
Committee was chaired by a very
experienced Director with a financial
background and prior experience in retail
banking. In 2019, the Board Audit
Committee met six times a year and had
four Directors as members.
The Board Technology Committee had
four members in June 2019 and is chaired
by a Director with a background and
interest in technology and digital
transformation in particular. At this time,
the Board Nominations Committee was
chaired by the Chairman of the Board and
had five members. The Board
Remuneration Committee is chaired by a
Director with experience in the financial
sector and has three members.
In summary, the way in which the
Westpac Board has organised its
governance responsibilities is mainstream
and ‘fit for purpose’. The main challenge
is not the governance structure itself.
3 Customer and employee data as at 30 September 2019:
Westpac Group’s 2019 Full Year Financial Results
Presentation and Investor Discussion Pack.
Rather, it is the huge scope of a board’s
work relative to the ‘board capacity’ that is
available. Today’s governance rules
mean that, other than the Managing
Director, the Board is comprised of part-
time Directors who have no prior career
experience at Westpac. And so, while the
structures might be well designed and the
appointments to the Board well-chosen,
the challenge is how to ‘oversee’ what is
happening in a company with, in this
instance, over 14 million customers and
over 36,000 employees3.
4.2 Risk Management at Westpac
The management and oversight of risk at
Westpac is a big task. Financial risk
management is fundamental to the
business of the Bank. As well as financial
risk, the Bank must also manage its non-
financial risk. Westpac’s Risk
Management Framework identifies eleven
major categories of ‘risk’ ranging from
credit and liquidity to cyber and
reputational (see Appendix E).
The Board is responsible for approving the
Westpac Group Risk Management
Strategy, the Westpac Group Risk
Appetite Statement and monitoring the
effectiveness of risk management. The
Board Risk and Compliance Committee
monitors the risk profile and controls for
adequacy and appetite, and provides
regular reports to the Board on these
matters.
The risk management that the Board, and
its Board Risk and Compliance
Committee, are monitoring is performed
under a standard ‘three line of defence’
model. This has been the approach to
risk management at Westpac throughout
the 2013-2019 period.
4. The Structure of Board Governance (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 15
The first line of defence is the operational
or business manager who takes
responsibility and is accountable for risk
management (both financial and non-
financial) across his/her business lines.
The second line of defence is with
specialist risk and control personnel.
These work with the operational areas but
are separate from them; and should bring
expertise and knowledge in particular risk
areas – such as financial crime. This is
the group that is most in contact with the
regulators about ongoing developments
and requirements.
The third line of defence is internal audit
and external audit. These auditors
validate risk and control assessments.
This line of defence provides management
and the Board with independent
assurance about the design and
operational effectiveness of the Bank’s
risk management activities. Their focus is
assurance and is often the most visible of
the lines of defence to the Board.
The external auditor explicitly focusses on
the annual financial statements and non-
financial risks are relevant to the extent
they are key audit matters to be disclosed
in the financial statements. Such matters
can include provisions being made for
compliance, regulation and remediation
relating to conduct matters where these
are relevant. The external auditor must
preserve its independence and typically
other third-party experts are engaged
across the Bank by various business
areas to examine assurance and
compliance. This work occurs in any area
of risk, both financial and non-financial.
Internal audit is intended to be an
independent assurance function for the
Board, senior management, and
regulators. Internal audit should provide
opinions on the adequacy and
effectiveness of the first and second line
of defence across both financial and non-
financial risks. Material risk classes
should be tracked by Internal Audit along
with any remediation work underway. The
Internal Audit Plan is set annually,
approved by the Board Audit Committee
and modified where required as the year
progresses and risk profiles and
circumstances change.
4.3 The Increasing Focus on
Financial Crime
Financial crime matters and related risk
issues were reflected in Board papers
over the period 2013 - 2019. However,
the importance of financial crime
increased at the Board and, by February
2015, oversight and approval of a financial
crime risk framework was delegated by
the Board to the Board Risk and
Compliance Committee for attention.
Since that time a dedicated Financial
Crime Report has been tabled at that
Committee quarterly.
The increasing attention being paid to
financial crime is also evident in the
Westpac Group Annual Reports. Up until
2016 these reports include references to
financial crime in their Supervision and
Regulation section, and under Risk
Factors. The law concerning anti-money
laundering and counter terrorism
financing, and the role of AUSTRAC, is
noted. From 2017 the failure to comply
with financial crime obligations is dealt
with quite prominently in the Risk Factors
commentary section.
In the Westpac Group Annual Reports of
2018 and 2019 the risk of financial crime
understandably received substantial
attention. In 2018 the fact that millions of
International Funds Transfer Instructions
had not been reported to AUSTRAC was
explained and that these errors, once
known, had been immediately self-
reported to AUSTRAC. An ongoing
4. The Structure of Board Governance (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 16
review of Westpac’s anti-money
laundering and counter terrorism financing
environment was noted.
In 2019 the focus on financial crime in the
Westpac Group Annual Report continued
with the Directors referring to processes
and controls in this area being given
particular attention. Financial crime is
mentioned as a risk to be considered in
determining remuneration outcomes and a
potential contingent liability associated
with the breach is noted.
AUSTRAC’s priorities in the financial
crime area vary over time depending on
changing circumstances. Not surprisingly
over the past decade these priorities
changed as partly indicated by
AUSTRAC’s guidance to banks like
Westpac - through case studies,
typologies, and involvement in forums like
the Fintel Alliance. AUSTRAC’s Annual
Reports give a more backward-looking
indicator. Judging from AUSTRAC’s
Annual Reports before 2016, the focus
was on tax evasion, welfare fraud and
terrorism. Child exploitation is a more
pronounced theme in years after 2017.
5. Were Board Processes Adequate?
THE ADVISORY PANEL REPORT MAY 2020 17
The first question asked of the Advisory
Panel was ‘Were formal Board processes,
including information flows, adequate to
ensure informed oversight of compliance
with the requirements of the AML/CTF
Act?’
As Section 3 has explained there were
four areas where AUSTRAC alleged there
were failures to comply with the AML/CTF
Act. These were various failings in reports
to AUSTRAC about international funds
transfer instructions, inadequate due
diligence of correspondent banks, a failure
to adopt and maintain an AML/CTF (and
other serious crimes) program, and finally
inadequate due diligence of customers.
The relevant question for the Advisory
Panel then is to what extent formal Board
processes, including information flows,
contributed to these alleged failures?
The formal Board and Board Committee
processes are explained in Section 4 and
the view of the Advisory Panel is that
these processes are generally adequate
for risk management. The Board
approved the Westpac Group Risk
Management Strategy and is clear in the
Group Risk Appetite Statement about its
expectations of acceptable risk outcomes.
It was in the monitoring of financial crime
risk management and related controls that
shortcomings are evident, particularly
early in the years under review.
The task of monitoring risk management
for the Board is mainly the business of the
Board Risk and Compliance Committee.
Other Board Committees have roles that
are relevant to their focus areas; the
Board Technology Committee has an
interest in the adequacy of the bank’s IT
systems; and the Board Audit Committee
in any financial reporting consequences
from financial crime. The rhythm of these
Committee meetings, like that of the
Board, is as one would expect for a large
listed company. At the Board Risk and
Compliance Committee a quarterly report
on Financial Crime was presented and
this included inter alia reports on the
outcomes of assessments by AUSTRAC
from time to time.
The independent annual review of Board
Effectiveness was positive throughout the
period of interest though it is notable that
several Directors found the Board Risk
and Compliance Committee agenda
difficult. Appropriate attention, they felt,
could not be paid to the 40 or so items to
be addressed within a five hour meeting.
To address this issue the number of
meetings of this Committee per year was
increased from four to five in 2019.
It is our view that Board processes, and
the information flow to the Board and its
Committees, were adequate. However,
there was a problem with the content of
information. It is beyond our scope to
address management failings but when a
Board is not getting correct information or
matters are being omitted, its task is made
impossible. There is absolutely no
evidence that these errors were intentional
or that were motivated to mislead the
Board. The simple fact is that
management did not know and hence
could not inform the Board until they did
know.
The Board became aware of the
AUSTRAC Statement of Claim on 19
November 2019, the evening before the
Statement of Claim was formally lodged in
the Federal Court. The AUSTRAC CEO
telephoned the Westpac CEO, as an act
of courtesy, to let him know of the
upcoming issuance of proceedings. The
Board’s knowledge of the four general
matters raised by AUSTRAC in its
5. Were Board Processes Adequate? (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 18
Statement of Claim in November 2019
varied.
• First, with the non-reporting of
International Funds Transfer
Instructions (IFTIs) the Board had
direct knowledge of the matter at
around the same time they were
reported to AUSTRAC. This was in
August 2018, just over a year before
the Statement of Claim in November
2019. Well before this date the Board
Risk and Compliance Committee and
the Board knew that there were
problems with the management of
financial crime risk. This knowledge
covered the period 2011-2017. At
least quarterly, the Board received
reports that described the known
problems and how they were being
addressed.
There appears to have been no
attempt to sugar-coat the
assessments. Summary traffic light
assessments moved between ‘amber’
and ‘red’ and never to ‘green’. The
Bank’s own risk assessment for
Financial Crime was constantly rated
‘out of appetite’ and was frequently
downgraded as new problems were
uncovered. One issue after another
was uncovered and separately fixed
only to have another matter arise. The
extent of the issues became clear
during 2017, when dealing with
individual issues became a wider task
and it became clear that ‘band aid’
solutions were inadequate.
In 2017 the Westpac Institutional Bank
division investigated the financial
crime risk attached to the relevant
business lines in its operations. It was
this examination that led to the
discovery of the large number of
unreported IFTIs and the incomplete
information that had been reported to
the regulator. This was made known
to the Board in mid 2018 and the
seriousness of the under reporting
appears to have been well understood
by the responsible officer. AUSTRAC
was immediately informed in August
2018, as noted.
• Second, the Board’s knowledge of
problems within correspondent
banking due diligence was gained
over a long period of time. The Panel
was informed that as far back as
2011-12 problems around
correspondent bank due diligence
were being noted by management,
along with remediation requirements.
Compliance Assessments by
AUSTRAC were conducted in 2012
and 2016. The 2012 AUSTRAC
Assessment recommended
improvements and a requirement
needed to meet obligations under the
Act. The 2016 Assessment made
recommendations but did not set out
any requirements formally needed to
satisfy the Act. These Assessments
were noted in the quarterly reporting to
the Board Risk and Compliance
Committee and work appears to have
commenced by management to
address the known problems at the
time. Remediation across a range of
financial crime areas occurs,
particularly in transaction monitoring.
It was not until 2017-18, when the
Westpac Institutional Bank division
conducted an investigation, that the
extent of the problems became
clearer. Financial crime remediation
activities progressed more broadly
during this period, and extended
beyond the IFTI reporting issues.
Remediation included upgrades to the
IT monitoring system and
commencement of improvements in
controls including those covering
correspondent banks.
5. Were Board Processes Adequate? (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 19
• Third, the AUSTRAC allegation that an
AML/CTF program had not been
adopted and maintained was not
known to the Board until the
Statement of Claim was lodged. The
Board was well aware during 2018-19
that work was underway to improve
the management of its financial crime
risks and serious attention was being
given to the matter by both senior
management and the Board,
especially through the Board Risk and
Compliance Committee. A plan to
manage anti-money laundering and
terrorism financing risk, the Financial
Crime Strategic Plan, had been
updated and adopted by the Board in
March 2019.
• Finally, when Westpac self-reported its
IFTIs non-compliance in August 2018
a series of Notices were issued by
AUSTRAC over the course of the next
14 months. Not surprisingly,
questions concerned payment flows,
standards, and procedures. On 20
September 2019 (two months before
the Statement of the Claim was
issued) Westpac received a Notice
from AUSTRAC inquiring about its
transaction monitoring and its use of
typologies to detect child sexual
exploitation. It was not until that point,
about two months before the
Statement of Claim, that Westpac had
any knowledge of AUSTRAC’s
possible concern about child sexual
exploitation.
This new line of inquiry from
AUSTRAC was brought to the
attention of the Board Risk and
Compliance Committee just before its
meeting on 31 October 2019. This
was the first time that the Board
received information that AUSTRAC
was examining concerns it had with
possible inadequacies in Westpac’s
transaction monitoring to detect
possible child sexual exploitation.
The Board and the Board Risk and
Compliance Committee also had
information reported to them that was,
with the benefit of hindsight, insufficient to
trigger appropriate and timely action. For
some years, the Board had been regularly
informed that the working relationship with
AUSTRAC was good. The Minutes and
material in various meetings over the
period covering 2013-19 are full of
descriptions of problems being addressed;
but also talked of a constructive working
relationship with AUSTRAC. This may
have contributed to a sense, at both Board
and senior management levels, that
despite the problems, issues were being
adequately addressed and that the
regulator was content with the progress
being made.
In addition, in 2014 Internal Audit
completed a review of compliance with
IFTI reporting. While improvements were
suggested there was no conclusion that
the reporting of IFTIs was not compliant.
What is especially concerning is that the
improvements suggested by Internal Audit
were not adequately followed up by the
first line of defence nor did the third line
appear to check whether or not this had
been done. Prior to this report the post
implementation review in 2011 of the IT
project concerning IFTI reporting gave
assurance to management that all IFTIs
were being noted as required. This was
incorrect and gave a misleading level of
confidence in the reporting systems.
A series of Compliance Assessments from
2013-2018 were conducted by AUSTRAC
that included reviews of Correspondent
Banking (2016) and on-boarding of high-
risk customers (2018). The assessments
recommended various actions and made
observations. No requirements to meet
the obligations under the AML/CTF Act
5. Were Board Processes Adequate? (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 20
were noted and as the actions
recommended were completed and closed
the clear but misleading impression is one
of compliance.
Once the under-reporting of IFTIs had
been reported to AUSTRAC in August
2018 the communications from the
regulator make very clear their view of the
seriousness of the issue and the fact that
it had persisted for so long. They flagged
a concern about the control environment
and began seeking more detailed
information. AUSTRAC also signalled
concerns over due diligence of
correspondent banking and in November
2019 a line of inquiry commenced about
the detection of child sexual exploitation.
At the same time the Chief Risk Officer
correctly noted in a memo to the Board
that a key message from different
regulators and reviews was that Westpac
had been slow to act on certain
longstanding issues.
In summary the Advisory Panel concludes
that the processes of the Board were
adequate and its receipt of information,
and the timing of that information, were
also adequate. What failed was that the
information provided by management was
sometimes misleading or omitted. What
was not known by management could not
be provided.
6. Was the Diligence by Directors Adequate?
THE ADVISORY PANEL REPORT MAY 2020 21
The second question for the Advisory
Panel concerned the Board’s diligence in
the financial crime area. ‘Was the level of
diligence exercised by Directors within
these processes appropriate?’
It is clear that the level of diligence applied
by the Board to financial crime risk
management increased around 2017.
Prior to that time, and as far back as 2013,
the Board and management attention to
financial crime was less. A non-compliant
AML/CTF environment had developed,
and poor control and monitoring
processes permitted the situation to
continue for too long. While there are
understandable reasons why the Board
gave the matter less priority in these early
years before 2017 there were some
warnings about the importance of financial
crime risk management that the Board
could have noticed earlier:
• Externally the increasing importance
of financial crime, especially overseas,
was evident. The earlier enforcement
cases elsewhere and those that
AUSTRAC brought against both
Tabcorp and CBA reinforced this
trend.
• Internally there were also warnings
though muted. Out-of-risk-appetite
situations were reported to the Board
Risk and Compliance Committee and
tolerated for long periods. While the
matters were reported to be getting
management attention, the long period
of time that unacceptable risk-appetite
persisted is notable.
• Internally it was also known that to
meet compliance obligations in the
financial crime area an analysis of
data relating to millions of
transactions, customers, and
correspondent banks was needed.
This meant IT systems and how they
are used had to be fit-for-purpose. We
are told that significant resources had
been invested in IT systems. However
how these systems were used may
have hampered data collection,
forensic analysis and regulatory
reporting.
Early shortcomings aside, there was a
noticeable shift in the Bank’s response to
financial crime issues from 2017 onwards.
The documentary record shows a level of
Board engagement with AML/CTF issues
from that time and the Advisory Panel is of
the view that Board diligence after early
2017 was reasonable.
In the period from 2017 to when the
AUSTRAC Statement of Claim was
lodged in November 2019:
• An enterprise “Get-to- Green” Working
Group chaired by the Group Chief
Financial Officer and the Group Chief
Risk Officer was established to
manage the resolution and track the
remediation of issues which were
delaying a return to satisfactory Risk
Appetite for AML/CTF. This was an
important step in addressing the string
of reports about assumed-to-be
unrelated issues that had been coming
to the Board for many years.
• A Financial Crime Workshop and
Financial Crime ‘Deep Dive’ was held
for all members of the Board Risk and
Compliance Committee in November
2017. This was to provide the Board
Risk and Compliance Committee with
“greater awareness of the Group’s
approach to managing, and the
current status, of its Anti-Money
Laundering and Counter-Terrorism
Financing (AML/CTF) obligations”.
6. Was the Diligence by Directors Adequate? (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 22
• In early 2018 the Board reviewed a
detailed plan and then resolved to
implement its ‘Part A Program’.
• The Board approved the ‘Five Streams
of Work’ required to put various
AUSTRAC recommendations in place.
• A Financial Crime Strategic Plan was
approved by the Board in March 2019
after extensive work in 2018 leading to
the development of a Financial Crime
Program as an aggregate vehicle for
remediation, governance and
accountability plans and activities for
financial crime matters.
• A strategic program was initiated in
2015 to upgrade and migrate four
separate parts of the Detica IT system
into a single global platform. The aim
was to allow real time screening and
establish a global transaction
monitoring program. The upgrade
was planned to be delivered over the
period 2016-2021 at a cost of $60
million.
• The Board Risk and Compliance
Committee noted the implementation
of findings and recommendations from
the various AUSTRAC Compliance
Assessments conducted over the
period (including Correspondent
Banking in 2016, review of Suspicious
Matter Reports in 2017, and on-
boarding of high-risk customers in
2017).
• The Board was aware of Westpac’s
involvement in the Fintel Alliance,
launched by AUSTRAC in early 2017,
and with other government / industry
financial crime related collaboration
initiatives (for example the Joint
Financial Intelligence Centre in 2016).
• A series of important executive
appointments were made starting in
2017. Senior executives were hired
with deep and relevant financial crime
and non-financial risk experience.
Significantly, some of these hires were
from overseas banks where progress
in managing such matters was (and is)
more mature than in Australia.
• New Board appointments brought in
persons with relevant technical and
offshore experience.
• Organisational changes were made
which elevated the seniority of
financial crime executives and uplifted
financial crime capabilities. A Global
Head of Financial Crime, with
international experience, joined
Westpac in April 2019, and this new
role reported to the Chief Compliance
Officer.
• Internal resourcing dedicated to
financial crime (including financial
crime operations) increased
substantially, doubling to 750 people
in the past three years.
• The Board directed action to correct
the reporting of IFTIs once the matter
had become known to the Board and
AUSTRAC in August 2018. In 2019
the Board oversighted the
appointment of specialists to conduct
an independent review of the
transactions.
• Management of non-financial risk was
embedded in Westpac’s senior
management remuneration scorecard,
initially through a separate weighted
element within the scorecard. (In
2019 this was a generic 7.5% for non-
financial risk management with a
higher weighting for those with larger
roles.) This weighted element worked
in conjunction with an override
mechanism that enabled more
significant downward adjustments, as
far as 100% downwards, to the
scorecard and remuneration for
material risk failures.
6. Was the Diligence by Directors Adequate? (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 23
• Throughout this period the information
flow to the Board and the Board Risk
and Compliance Committee continued
through the quarterly Financial Crime
reports. Occasional papers were also
produced on key risk issues,
assurance, updates on regulatory and
enforcement actions, and for business
unit reporting.
In summary, after 2017, the level of Board
engagement in matters involving financial
crime was significant.
Further steps were taken after AUSTRAC
lodged its Statement of Claim on 20
November 2019. In the few months since
then:
• The Westpac Chairman has retired
early, the Chair of the Board Risk and
Compliance Committee advised that
he would not stand for re-election as a
Director, and the Chief Executive
Officer resigned.
• A new Chairman and Chief Executive
Officer have been appointed.
• A Board Financial Crime Committee,
chaired by a senior Non-Executive
Director, has been established to
oversee implementation of an
enhanced financial crime program.
• The Global Head of Financial Crime
role was elevated to General Manager
level (General Manager, Financial
Crime) in November 2019, reporting
directly to the Chief Risk Officer.
• Commitment has been made to recruit
an additional 200 people to support
financial crime and compliance
obligations. This adds to the 750
employees engaged in this area
already, as noted above.
• In the interim, all or part of the grant of
the 2019 Short Term Variable Reward
has been withheld for the full
Executive Team, and several
members of the general management
team, subject to the assessment of
accountability.
• The Chairman and other current Non-
Executive Director base fees for 2019
were reduced by 20% as a one-off
measure to recognise collective
accountability as the Board of
Westpac for customer outcomes
highlighted by the Royal Commission,
shareholder sentiment leading to the
‘first strike’ at the 2018 Annual
General Meeting, and significant non-
financial risk matters.
• As well as the appointment of this
Advisory Panel a number of working
groups have been formed and
independent specialists engaged to
advise on accountabilities and
remedial action.
In summary, for the period relevant to the
AUSTRAC allegations, the picture which
emerges is one where diligence reached a
satisfactory level in early 2017, and
although there was previous Board
attention to the matter, particularly since
2015, it was inadequate over that earlier
period and failed to grasp the scale and
systemic nature of the problem. This
contributed to an environment where IFTI
reporting breaches went undetected for
many years, the early Part A program
lacked conviction, and the due diligence
given to both correspondent banks and
customers was not sufficiently thorough.
There is increased attention paid to
financial crime risk beginning late in 2016
and early 2017 with significant increases
in priority by the Board and management,
resources are added, and some good
momentum occurs well before AUSTRAC
initiated proceedings in November 2019.
After 2017 the Advisory Panel is of the
view that the diligence given by the Board
is adequate. Matters appear not to have
6. Was the Diligence by Directors Adequate? (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 24
been addressed and finalised as quickly
as they should have been but after 2017
there is no doubt about the serious intent
and diligence at the Board level.
7. Next Steps
THE ADVISORY PANEL REPORT MAY 2020 25
Our remit was to assess how the Westpac
Board had dealt with the matters
contained in the AUSTRAC allegations.
As such, it has been a ‘backwards’ look –
trying to put ourselves in the shoes of
Board members as events unfolded over
the past several years.
In this section we summarise the steps
that the Westpac Board might prioritise as
it moves to address the exposed
shortcomings in financial crime risk
management. We note that many of the
necessary remedial actions have been
underway for some time, having started
before disclosure of IFTI reporting
breaches in August 2018, and well before
the AUSTRAC action. Some of these
initiatives are summarised in Section 6
and are ongoing.
The incoming leadership has quickly
assumed ownership of the AUSTRAC
issues while determining the wider
Westpac challenges which they perceive
to be most critical. The new Chairman
and CEO are already moving to make the
improvements in financial crime risk
governance that are required.
Obvious priorities will include driving
cultural change - the way work is done,
the committees, shared accountability and
performance management. The time it
takes for implementation is a clear
problem and the blurred accountability
that results from management through
committee is a recognised concern.
Continuing effort will be needed to
strengthen both the regulatory relationship
and compliance, especially in financial
crime risk.
Every board needs to periodically review
its own processes as directors can be
overwhelmed with detailed papers,
meetings get longer and issues lose
visibility given the number of agenda items
and shifting priorities. Westpac is no
exception as the challenge is a universal
one facing boards.
We believe that the following matters merit
early attention by the Board and the
BRCC:
• There are many strengths to the multi-
brand and matrix management
organisational model adopted by
Westpac but end-to-end visibility and
ownership of processes is not one of
them. This is a bigger risk for those
processes which do not have a loud
corporate voice and are characterised
by non-financial key performance
indicators which are not monitored
daily as are financial metrics,
customer statistics and the like. Clear
accountabilities for AML/CTF
compliance and reporting must be
developed and enforced.
• Continued effort is needed to clarify
the responsibilities within the Three
Lines of Defence for financial crime
risk, and to make the model work.
Each line of defence has a role and
care should be taken that line one
does not delegate its responsibility to
line two.
• Rebuilding the relationship with
AUSTRAC and together designing a
mode of engagement and cooperation
that respects the different role each
organisation plays. AUSTRAC is a
regulator that needs to work closely
with its clients to enable information
sharing and detection, but this good
relationship does not detract from its
enforcement activities and Westpac
should not be naïve about both these
roles of the regulator.
• Benchmarking with domestic
competitors is useful but not sufficient
7. Next Steps (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 26
in some cases such as processes
relating to AML/CTF and the evolving
requirements of communities,
regulators and governments. While
Westpac has noted international
benchmarks and had a consultant
conduct an ‘international sounding,’
the need for directors to show
increasing interest in global best
practice in managing financial crime
risk is clear.
• The way in which the Board monitors
their need to meet AML/CTF
obligations should be reviewed. There
are three types of monitoring required:
monitoring the many financial crime
risks facing Westpac, monitoring the
risk management framework to ensure
it remains appropriate and
proportionate to those risks, and
monitoring the transactions and
activities of customers. The ‘traffic
light’ scoring system for conforming to
the risk appetite is one monitoring tool
used but deeper issues also need
routine consideration and perhaps
different types of reporting.
• The Westpac Culture, Governance
and Accountability Self-Assessment
caused a large number of
improvement initiatives to be
undertaken from 2019 onwards. This
work should be focused and
accelerated with clear accountabilities
for delivery, including a more pressing
timetable.
Appendices
THE ADVISORY PANEL REPORT MAY 2020 27
Appendix A: Advisory Panel Membership
The Panel established to conduct this review is comprised of:
Colin Carter AM
Colin Carter’s career was with The Boston Consulting Group. He now advises BCG on
global governance issues, is a director of Lendlease, National Golf Club, Australian Ballet
Foundation and is Chairman of the Geelong Football Club. Formerly he was a director of
SEEK, Wesfarmers, Origin Energy, AFL Commission, a number of not-for-profits including
World Vision and also was chairman of Jawun. He has carried out board performance
reviews in many organisations and co-authored a book on boards, Back to The Drawing
Board, published in 2003 by Harvard Business School Press and now translated into six
languages.
Dr Kerry Schott, AO
Kerry Schott is currently Chair of the Energy Security Board and a Director of NBN. She has
been a Chair and Non-Executive Director of a number of unlisted companies in the
infrastructure sector. Kerry was Managing Director and CEO of Sydney Water from 2006 to
2011.
Before that Kerry spent 15 years as an investment banker, including as Managing Director of
Deutsche Bank and Executive Vice President of Bankers Trust Australia.
Kerry holds a doctorate from Oxford University (Nuffield College), a Master of Arts from the
University of British Columbia, Vancouver and a Bachelor of Arts (first class Honours) from
the University of New England, Armidale NSW. Kerry was recently awarded honorary
doctorates at the University of Sydney, Western Sydney University and the University of
New England. She was awarded an Order of Australia in 2015 for services to business and
commerce through a range of public and private sector finance roles.
Dr Ziggy Switkowski, AO
Dr Switkowski is Chancellor of RMIT University and Chairman of NBN Co.
He is a former Chairman of Suncorp Group, the Australian Nuclear Science and Technology
Organisation and of Opera Australia. He has also served as a non-executive director on the
boards of Tabcorp Holdings, Healthscope, Oil Search, Lynas and Amcor.
He has previously held positions as Chief Executive Officer and Managing Director of Telstra
Corporation Limited, Optus Communications Ltd and Kodak (Australasia) Pty Ltd.
He is a Fellow of the Australian Academy of Science, the Australian Academy of
Technological Sciences and Engineering, and the Australian Institute of Company Directors.
Appendices (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 28
In 2014, Dr Switkowski was made an Officer of the Order of Australia for services to tertiary
education administration, scientific organisations and the telecommunications sector, to
business, and to the arts.
Appendices (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 29
Appendix B: AUSTRAC Allegations in Detail
As we outlined in Section 3 the allegations made by AUSTRAC were serious. The nature of
those allegations is discussed in more detail below.
1. Correspondent Banking Due Diligence
Westpac had correspondent banking relationships with sixteen foreign banks. These
relationships are considered to involve greater money laundering and terrorism financing
risks because they encompass cross border transactions, different jurisdictional risks, and
some limits to the transparency of the identity of the customer and the source of funds.
Given this situation Westpac did 47 assessments of its correspondent banks but AUSTRAC
alleges that these assessments had various shortcomings that mean Westpac contravened
section 98 of the AML/CTF Act. According to AUSTRAC this behaviour was beyond
Westpac’s own standards and risk appetite, and appropriate monitoring to identify these
matters was not followed.
2. Failure to Properly Report IFTIs
Each time funds are transferred in or out of Australia Westpac (and other banks) must lodge
an International Funds Transfer Instructions (IFTIs) report with AUSTRAC within 10
business days. Information that must be provided includes the identity of the payer, their
address, the size of the transaction, what the payment is for, and the payee name and
address. Millions of (legitimate) transactions occur each year and this reporting function is
essentially a large data transfer between a bank system and AUSTRAC’s system.
AUSTRAC allege that between November 2013 and September 2018 Westpac received
19,427,710 IFTIs (worth about $11 billion) and did not report these transactions until the
period October 2018 to September 2019. This late reporting of IFTIs represented just over
72% of all incoming IFTIs at Westpac, and were related mainly to one correspondent bank.
That bank, and one other, were not reported until years later because Westpac failed to
include the data in the system that exported data to AUSTRAC. It is alleged that there was
no assurance process in place to detect that IT system failure. Two other banks also had a
small number of incoming IFTIs reported late as another systems error allowed non-
reporting on non-banking days.
AUSTRAC also allege that 2.7 million of the incoming IFTIs did not contain all the
information required. In particular the payer was not identified. Westpac had an
arrangement with a foreign ‘Ordering Institution’ to allow electronic funds transfer
instructions from their overseas customers to be processed. IFTIs received under this
arrangement from October 2016 to November 2018 were not reported to AUSTRAC until the
period March to September 2019. AUSTRAC allege that the late reporting of these 61,717
transactions (worth about $100 million) is another breach of section 45 of the Act.
Over the period November 2013 to February 2019 Westpac failed to report 10,771 outgoing
IFTIs (worth about $707 million) as required. These outgoing transactions, all related to one
correspondent bank, and were reported late on 4 October 2019. Finally over the period
February 2017 to June 2019, Westpac sent 2,314 instructions for outgoing IFTIs under
Appendices (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 30
arrangements with three foreign banks. AUSTRAC alleges it has never received the
required report on these IFTIs.
3. Transferred Money under Section 64 of the Act
When Westpac is interposed in a chain of fund transfers, it is required to pass on information
to the next institution so that the origin of transferred money is clear. AUSTRAC allege that,
in the period from January 2014 to 2019, Westpac passed on 7,639 fund transfers (worth
about $590 million) and failed to include all the information need to be able to trace the origin
of the transferred money.
Similarly AUSTRAC allege that in the same period, Westpac sent 2,882 IFTIs out of
Australia (worth about $104 million), and failed to include information in the instructions that
would have enabled the origin of the transferred funds to be traced. AUSTRAC note that
Westpac had obtained the complete information about the payer, but failed to pass it up the
chain. Both these matters are alleged to be in contravention of section 64 of the Act.
4. Making and Retaining Records
Under section 115 of the Act Westpac is obliged to keep records for seven years of each
transfer instruction passed on to it by a correspondent bank. The back-up record keeping
system at Westpac was not correctly configured and records were lost. Data relating to
3,516,238 transfer instructions from one bank were passed on to Westpac from January
2011 but this data was not retained for seven years. AUSTRAC allege this contravened
section 115 of the Act.
5. Anti-Money Laundering and Counter Terrorism Financing Program
Westpac is required to adopt and maintain an anti-money laundering and counter terrorism
financing program. Failure to do so contravenes the Act and banks are not to provide
designated services to customers unless they have such a program. The program is divided
in two parts: Part A (general) and Part B (customer identification). The purpose of Part A is
to identify, mitigate and manage the risk of getting involved in, or facilitating, money
laundering, financing terrorism or other serious financial crime.
AUSTRAC allege that from November 2013 Westpac’s Part A Program did not have the
primary purpose of identifying, mitigating and managing the risk of financial crime. The
allegation is that Westpac’s Part A Program was not compliant with the requirement for risk-
based systems and controls to be put in place. AUSTRAC allege that from mid-2015
controls had been predominantly unsatisfactory and out of appetite; and these ratings were
driven by inter alia compliance and risk issues at Westpac and inadequacies with Detica,
Westpac’s financial crime system. Remediation had not been adequate, timely or prioritised.
AUSTRAC list a number of concerns and examples of poor management and operational
failures to support their allegation.
Appendices (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 31
6. Ongoing Customer Due Diligence and Child Exploitation
Westpac policy was to maintain and develop detection to monitor customer transactions.
Advice and feedback from AUSTRAC and other law enforcement agencies was to be
prioritised. By May 2016 Westpac had assessed that the child exploitation risks relating to
low value payments to the Philippines was increasing. In response Westpac introduced a
detection scenario to one of its payment channels but this scenario failed to detect any
issues.
This detection test was replaced by another in June 2018 and AUSTRAC allege it was not
until that time that an appropriate analytical tool had been applied. AUSTRAC also note that
this more effective detection was applied to only one payment channel (LitePay) and not to
other channels.
AUSTRAC further alleged that Westpac failed to conduct ongoing customer due diligence on
twelve customers. AUSTRAC has alleged that this failure contravened section 36 of the
Anti-Money Laundering and Counter Terrorism Financing Act 2006. The intent of that law is
to identify, mitigate and manage the risk of the bank facilitating money laundering, financing
terrorism and other serious financial crimes.
Each of the twelve customers held an account with Westpac. Eleven of the twelve
customers had repeated patterns of frequent low value transactions that were consistent
with child exploitation typologies. The twelfth customer had a prior conviction for child
exploitation offences. AUSTRAC alleges that had Westpac conducted appropriate due
diligence, and in particular applied appropriate detection scenarios for child exploitation
typologies, these customers would have been identified earlier.
AUSTRAC notes several other matters about these customers. AUSTRAC alleges that one
customer transferred money in 2014 to a person who was later (in 2015) arrested for child
trafficking and exploitation, and that had Westpac been appropriately monitoring in 2014,
those transactions would have come to its attention. A number of these customers travelled
to the Philippines a number of times.
Another customer held accounts at Westpac from 2016 and in June 2019 Westpac became
aware that money was being transferred to the Philippines in a manner that was indicative of
child exploitation. A few days later Westpac became aware that this customer had a prior
conviction for child sexual exploitation. This prior conviction requires enhanced customer
due diligence by the bank and it is alleged by AUSTRAC that Westpac did not do so
promptly or appropriately given the risks involved.
The information provided by AUSTRAC about eleven of the twelve customers shows:
• Two relevant customer accounts were opened before November 2013, another one was
opened in 2015, five were opened in 2016, and one was opened in each of 2017, 2018
and 2019;
• Westpac identified the child exploitation issue in these customer accounts from March
2018 onwards;
• The size of each individual relevant transaction ranged from about $40 to $300; and
• Following the identification of the child exploitation issue AUSTRAC noted that some
accounts continued transacting.
Appendices (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 32
Appendix C: Terms of Reference
On 20 November 2019, the Australian Transactions Reports and Analysis Centre
(AUSTRAC) lodged a Statement of Claim against Westpac in the Federal Court. That
document contained a range of allegations regarding Westpac’s satisfaction of obligations
under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.
On 28 November 2019, Westpac announced that it would establish an accountability review
advisory panel (Advisory Panel) of three independent experts to provide recommendations
on governance and Board accountability.
Terms of Reference for the Advisory Panel
Basically, the Advisory Panel will answer two questions.
• Were the formal Board processes, including information flows, adequate to ensure
informed oversight of compliance with the requirements of the Anti-Money Laundering
and Counter-Terrorism Financing Act 2006; and
• Was the level of due diligence exercised by Directors within these processes
appropriate?
These two questions will focus on the governance of risk by the Board particularly as it
relates to financial crime. The questions will be approached by considering first whether
formal Board processes were adequate; and second whether the level of diligence exercised
by Directors within the operation of those formal processes was suitable.
Process stream
• Informed by guidance from a range of relevant bodies – for example, the ASX, the AICD,
ASIC and APRA – the Advisory Panel will set out what “good risk governance” looks like
for an organisation of the scale and nature of Westpac. The focus would then be inter
alia on the extent to which these attributes were met by the Westpac Board generally
and more specifically in regard to the governance of financial crime risk.
• The view of the Advisory Panel will reference documentary evidence, interview records,
and any other matter they judge relevant.
• Governance themes might include the risk management framework, strategy and
appetite setting; information content and flow; composition of Board Committees;
allocation of time to risk matters; engagement by the Directors; enforcement of
management accountability; escalation processes; Director skills and experience;
oversight of risk related incentives and remuneration; and oversight of consequence
management.
• The Advisory Panel will form an overall judgment and make recommendations regarding
the adequacy or otherwise of risk governance by the Westpac Board specifically in the
area of financial crime.
Appendices (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 33
Diligence stream
• The Advisory Panel should set out those actions and behaviours that in its view
constitute a reasonable standard of diligence for directors in this risk governance
context.
• The Advisory Panel may draw on the “reasonable steps” concept that underpins the
Banking Executive Accountability Regime where these are considered relevant.
• Supported as appropriate by documentary evidence and interview records, the Advisory
Panel will assess whether or not the Board has been diligent in its risk governance duties
and specifically as they relate to financial crime.
• The assessments will be undertaken for Chairmen and Directors including the Chief
Executive Officer in his role as a Director.
Completion
The Advisory Panel will provide a written report to the Board, through the Board Financial
Crime Committee, that has been set up to deal with this matter. A set of recommendations
regarding board governance and board accountability should be made under the two
streams of work set out above. That report will be made available to regulators, and more
broadly to the public, as Westpac determines.
The final report of the Advisory Panel will be submitted by 30 April 2020 at the latest.
Appendices (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 34
Appendix D: Review Process
Over a four-month period, Panel members have:
• Reviewed relevant literature on governance of financial institutions especially the CBA
Prudential Enquiry (May 2018), the Westpac Culture, Governance and Accountability
Self-Assessment (November 2018), the ASIC Corporate Governance Task Force Report
(October 2019) and the APRA Banking Executive Accountability Regime (February
2018).
• Reviewed Board and Board Committee documents, and extracts of documents, for the
2013-19 period.
• Interviewed the Chairman (outgoing and incoming), CEO (former and current), and each
current Non-Executive Director listed below.
• Interviewed senior Westpac executives, listed below, with connection to non-financial
risk and specifically financial crime.
• Reviewed information on critical Financial Crime events at offshore banks.
The Panel interviewed the following current and former Westpac Non-Executive and
Managing Directors:
Nerida Caesar
Alison Deans
Craig Dunn
Anita Fung
Steven Harker
Peter Marriott
Lindsay Maxsted
John McFarlane
Peter Nash
Margie Seale
Brian Hartzer in his capacity as the former Managing Director
Peter King in his capacity (at the date of interview) as Acting Managing Director
Several Westpac Executives and the external Auditor were also interviewed:
Craig Bright - Chief Information Officer
Di Challenor - General Manager, Group Transaction Services
Lyn Cobley - Chief Executive, Westpac Institutional Bank
Rebecca Lim - Enterprise Legal Counsel
Christine Parker- Group Executive, Human Resources
Scott Saunders – General Manager, Financial Crime
David Stephen - Chief Risk Officer
Gary Thursby - Acting Chief Financial Officer
Mike Trotter – Head of Risk Strategy and Operations
Lona Mathis - Lead Audit Partner, PwC
The focus of our investigation has been narrow and we have not interviewed people outside
Westpac (except as noted above).
Appendices (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 35
The Panel was assisted in their work by a Secretariat and we would like to particularly thank
John Arthur, Leif Evensen and Stephanie Gray for their expert assistance.
Appendices (cont’d)
THE ADVISORY PANEL REPORT MAY 2020 36
Appendix E: Risk Taxonomy
Given that the metrics of success for a major listed company centred, until recently, upon
share price and dividend flows, the presumed drivers of shareholder value, Westpac was a
demonstrably successful business. Its processes, including the oversight of Risk, were
mostly fit for that purpose, well documented and executed.
It’s instructive to note the spectrum of risks that today’s banks manage.
The Level 1 Risks of the Westpac Risk Taxonomy represent the material risk classes for the
Group and include:
• Governance;
• Risk culture;
• Strategic;
• Capital adequacy;
• Funding and liquidity;
• Credit;
• Market;
• Operational;
• Cyber;
• Conduct and compliance; and
• Reputational.
Until 2019, Westpac did not explicitly headline non-financial risk but Financial Crime and
AML/CTF obligations were to be found distributed across the Operational, and Conduct and
Compliance classes.
In recent months Financial Crime has been added to the other eleven Level 1 Risks.
To put the task of the Advisory Panel in perspective we are trying to assess the Board’s
actions over the past seven years in the area of AML/CTF obligations (as described in the
AUSTRAC Statement of Claim). Financial Crime, (now) one of the twelve Level 1 Risks, is
monitored by the Board Risk and Compliance Committee, and further overseen by the Board
whose responsibilities cover the whole Group.
Promontory Australia, a business unit of IBM Australia Limited
Suite 2, Level 3, 120 Sussex Street, Sydney, NSW, 2000, Australia promontory.com 1
27 May 2020
Mr Peter Nash
Chairman of the Westpac Board Financial Crime Committee
Westpac Banking Corporation
275 Kent Street
Sydney, NSW, 2000
Dear Mr. Nash
External Assurance to the Westpac Board over Westpac’s Management Review of
Accountability for the alleged failings identified in AUSTRAC’s Statement of Claim
On 21 November 2019 the Australian Transaction Reports and Analysis Centre (AUSTRAC)
lodged a Statement of Claim in the Federal Court against Westpac Banking Corporation (Westpac
or Bank) for failing to meet certain of its obligations under the Anti-Money Laundering and
Counter-Terrorism Financing Act (2006) (AML/CTF Act). As part of its response, Westpac initiated
a Management Review of Accountability for the alleged failings identified in the Statement of
Claim. Promontory, a Division of IBM Limited, was engaged to provide external assurance to
Westpac’s Board over the Management review.
This letter summarises Promontory’s external assurance over this review.
In response to AUSTRAC’s allegations Westpac engaged Promontory to provide assurance to the
Westpac Board that Westpac’s Management Review of Accountability for the alleged failings was
robust, based upon an accurate and complete set of facts, and employed a sound methodology
for arriving at its conclusions.
All materials shared with Promontory for the purpose of our assurance work were provided on a
confidential basis. The need to preserve legal privilege over some of the materials involved meant
that our access to parts of the Review was even further limited. In particular, we did not
participate in interviews and we did not see the conclusions of the Review or the report produced
by the Review. Consequently, while we were able to provide assurance over the design of the
Review, our ability to provide assurance over the implementation of the Review was limited. The
scope of our assurance over its conclusions and recommendations was limited to a negative
assurance opinion.
Our assurance activities, which ran for a period of around five months, included reading and
assessing documents, including vast quantities of documents made available by Westpac,
relevant Westpac policies, procedures and frameworks, Management and Board Committee
papers, and a methodology document compiled by the Review Team. These were supplemented
by two walk-throughs by the Team of their approach and methodology as applied to the
allegations relating to Westpac’s failure to adequately monitor international transactions for Child
Sex Exploitation. We conducted our own analysis of these inputs and were provided with, and
took, the opportunity to challenge the Review team on its methodology and interpretations.
Promontory Australia, a business unit of IBM Australia Limited
Suite 2, Level 3, 120 Sussex Street, Sydney, NSW, 2000, Australia promontory.com 2
Based on our assurance activities, and subject to the limitations noted above, Promontory can
provide the Westpac Board with the following assurances.
1. That the Review of Individual accountabilities for the alleged failings identified by
AUSTRAC was designed in a way that was appropriate for the objectives of the Review.
In particular:
• the scope of the Review provided the Review Team with adequate flexibility to
investigate the AUSTRAC allegations;
• while the information available to Promontory was less extensive than that available
to the Review Team, we were satisfied that the latter was sufficiently broad and
accurate for the Review Team to develop a robust methodology for the Review;
• the methodology developed by the Review Team, as described in their Methodology
Document and inferred from the walk-through of the CSE stream, was sound and
appropriate for arriving at conclusions and recommendations consistent with the
objectives of the Review; and
• the range of individuals targeted for interview was adequate and appropriate for
assessing accountability.
2. On the basis of our limited sample of one work stream, the methodology appears to have
been implemented as designed, and with appropriate care and due diligence.
3. Given our lack of visibility over the conclusions and recommendations made by the
Review Team, Promontory is only able to provide negative assurance over these.
Specifically, we saw no reason why the methodology, if implemented as designed, should
not lead to accurate and appropriate conclusions and recommendations.
Our more detailed report on these issues was provided to you separately on 25 May 2020.
Sincerely,
Jeffrey Carmichael Peter Kell
Practice Leader Managing Director
Promontory Australia Promontory Australia