Westpac and AUSTRAC reach agreement on AML/CTF proceedings
ASX
Release
24 SEPTEMBER 2020
Westpac and AUSTRAC reach agreement on AML/CTF civil
proceedings subject to Federal Court approval
Westpac Group has today announced it has reached an agreement with AUSTRAC
to resolve the civil proceedings commenced in the Federal Court of Australia on 20
November 2019.
Under the agreement, the parties have today, agreed to:
• file with the Federal Court a Statement of Agreed Facts and Admissions
• recommend to the Court that Westpac pay a civil penalty of $1.3 billion in
relation to admitted contraventions of the Anti-Money Laundering and
Counter-Terrorism and Financing Act 2006 (AML/CTF Act).
As part of the agreement, Westpac has admitted to additional contraventions that
are outlined in the amended statement of claim, and which contribute to the agreed
penalty.
Westpac Group Chief Executive Officer, Peter King, said: “I would like to apologise
sincerely for the Bank’s failings.
“We are committed to fixing the issues to ensure that these mistakes do not happen
again. This has been my number one priority. We have also closed down relevant
products and reported all relevant historical transactions.
“This agreement is an important step in the court process. It provides more certainty
to all our stakeholders as we continue to implement the measures in our Response
Plan and complete the implementation of recommendations from the reviews that
have been conducted,” he said.
In June, Westpac released the findings from its investigation into its AML/CTF
compliance issues as well as the Advisory Panel Report on governance and
accountability.
Level 18, 275 Kent Street
Sydney, NSW, 2000
“Westpac is taking action to address the areas where we have failed and are
implementing all the recommendations of the Advisory Panel Report,” Mr King said.
“We are strengthening our financial crime capability. We acknowledge the important
role Westpac must play in protecting the integrity of the financial system. As part of
this process we are improving our end-to-end financial crime risk management
processes and have established clearer accountabilities for AML/CTF compliance.
“Westpac has made substantial investments to strengthen its systems, processes, and
controls to detect and report suspicious transactions.
“We have recruited about 200 financial crime people to the group, created a new
Group Executive position directly responsible for improving our financial crime
capability, and established a new Board Legal, Regulatory and Compliance sub-
committee,” he said.
“We have also undertaken a reassessment of our culture, governance and
accountability and are embarking on a comprehensive, multi-year program to
strengthen how we manage non-financial risk across the Group. This includes a
significant investment in training to support our people to better identify, assess and
manage risks.
“We are determined to continually lift our financial crime standards, comply with our
obligations and uphold our customer, community, and regulatory expectations,” Mr King
said.
Westpac in its First Half 2020 results provided for an estimated penalty of $900 million,
and associated costs at which time the bank noted the proceedings were complex and
ongoing, and the ultimate penalty following either a settlement or a hearing, and in each
case as determined by the Court may be materially higher or lower than the amount
provided for. The penalty that Westpac and AUSTRAC will recommend to the Court
reflects the outcome of ongoing review and dialogue with AUSTRAC. Westpac will
increase the provision in its accounts for the year ending 30 September 2020 by a
further $404 million to account for the higher estimated penalty and for additional costs,
including AUSTRAC’s legal costs of $3.75 million.
The Statement of Agreed Facts and Admissions is attached.
For further information:
David Lording Andrew Bowden
Group Head of Media Relations Head of Investor Relations
0419 683 411 (02) 82534008 or 0438 284 863
This document has been authorised for release by Tim Hartin, General Manager & Company Secretary.
page 1
39199251
Federal Court of Australia NO. NSD 1914 of 2019
District Registry: New South Wales
Division: Commercial and Corporations
CHIEF EXECUTIVE OFFICER OF THE AUSTRALIAN
TRANSACTION REPORTS AND ANALYSIS CENTRE
Applicant
WESTPAC BANKING CORPORATION
ACN 007 457 141
Respondent
STATEMENT OF AGREED FACTS AND ADMISSIONS
Table of contents
A. INTRODUCTION 3
B. PARTIES AND BACKGROUND 3
B.1 AUSTRAC 3
B.2 Westpac 4
B.3 Correspondent banking 4
B.4 Direct Model Australasian Cash Management arrangements 5
B.5 OSBSB arrangements 6
C. FACTS RELEVANT TO LIABILITY 8
C.1 IFTI Reports – Contraventions of section 45 of the AML/CTF Act 8
C.2 Information about the origin of the transferred money – contraventions of Part 5 of the
AML/CTF Act 20
C.3 Making and retaining records – contraventions of section 115 of the AML/CTF Act 22
C.4 Correspondent Banking Due Diligence – contraventions of section 98 of the AML/CTF
Act 24
C.5 AML/CTF Program 39
C.6 Ongoing Customer Due Diligence – contraventions of section 36 of the AML/CTF Act 52
D. FORMAL ADMISSIONS 56
E. FACTS RELEVANT TO RELIEF 57
E.1 Nature and extent of the contraventions 57
E.2 Loss or damage suffered 67
E.3 Prior contraventions 69
E.4 Westpac's size and financial position 69
E.5 Board and senior management involvement 69
E.6 Cooperation with AUSTRAC and contrition 70
E.7 Remediation, corrective measures and enhancements 71
page 2
39199251
page 3
39199251
Federal Court of Australia NO. NSD 1914 of 2019
District Registry: New South Wales
Division: Commercial and Corporations
CHIEF EXECUTIVE OFFICER OF THE AUSTRALIAN
TRANSACTION REPORTS AND ANALYSIS CENTRE
Applicant
WESTPAC BANKING CORPORATION
ACN 007 457 141
Respondent
A. INTRODUCTION
1 This Statement of Agreed Facts and Admissions (SAFA) is made for the purposes of section 191
of the Evidence Act 1995 (Cth) (Evidence Act) jointly by the Applicant (the Chief Executive
Officer (CEO) of the Australian Transaction Reports and Analysis Centre (AUSTRAC)), and the
Respondent, Westpac Banking Corporation (Westpac).
2 The SAFA relates to Proceedings NSD 1914/2019 commenced by the AUSTRAC CEO against
Westpac on 20 November 2019 (Proceedings). By the Proceedings, the AUSTRAC CEO has
sought declarations that Westpac contravened particular provisions of the Anti-Money Laundering
and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), and orders that it pay
pecuniary penalties to the Commonwealth.
3 This document identifies the facts relevant to the contraventions in the period 20 November 2013
to 20 November 2019 (the Relevant Period) admitted by Westpac for the purpose of the
Proceedings. The facts agreed to, and the admissions made, are agreed to and made solely for
the purpose of the Proceedings and do not constitute any admission outside of the Proceedings.
4 For the purposes of the Proceedings only, Westpac admits that it contravened sections 36(1),
45(2), 64(6) and 64(7)(f), 81, 98 and 115 of the AML/CTF Act in particular respects as set out in
this SAFA.
5 The parties have reached agreement as to the terms of relief to be sought from the Court to
resolve the Proceedings. The parties acknowledge that, under section 175 of the AML/CTF Act, it
is ultimately for the Court to determine whether Westpac contravened a civil penalty provision and
the quantum of any pecuniary penalties that should be ordered.
B. PARTIES AND BACKGROUND
B.1 AUSTRAC
6 The AUSTRAC CEO is appointed pursuant to section 211 of the AML/CTF Act. She is charged
with enforcing compliance with the AML/CTF Act and subordinate legislation, including the Anti-
Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No.1) (AML/CTF
Rules) and has brought the Proceedings in that capacity.
page 4
39199251
B.2 Westpac
7 Westpac is a company incorporated in Australia and a person within the meaning of section 5 of
the AML/CTF Act. It is, and was at all material times, a reporting entity within the meaning of
section 5 of the AML/CTF Act and a provider of designated services to customers within the
meaning of section 6 of the AML/CTF Act.
8 At all material times, Westpac has been an Authorised Deposit-Taking Institution (ADI), being a
corporation that is authorised under the Banking Act 1959 (Cth) (Banking Act) to carry on
banking business in Australia. At all material times it has carried on activities or business through
a permanent establishment in Australia for the purposes of the AML/CTF Act.
9 Westpac is a provider of financial services, including retail, business and institutional banking and
wealth management products and services.
B.3 Correspondent banking
10 Correspondent banking, while an essential part of the international financial system, involves
higher money laundering and terrorism financing (ML/TF) risks associated with cross-border
movements of funds, jurisdiction risk (including the risks of operating in certain foreign countries)
and risks associated with the transparency of the identity and source of funds of customers of the
correspondent banks.
11 Throughout the Relevant Period, Westpac had a correspondent banking relationship (as defined
under section 5 of the AML/CTF Act) with the parent entity of Bank A (Bank A Parent), a
subsidiary of Bank G (Bank G Subsidiary), and Banks B, C, D, E, F, H, I, J, K, L, M, N, O and P
set out in Confidential Annexure A to this SAFA (correspondent banks) because:
(a) Westpac and each correspondent bank were both banks;
(b) Westpac carried out an activity or business at or through a permanent establishment in
Australia and the correspondent bank carried out an activity at or through a permanent
establishment in another country;
(c) the relationship related, in whole or in part, to those permanent establishments;
(d) the relationship was not of a kind specified in the AML/CTF Rules: and
(e) the relationship involved a vostro account, being an account Westpac held for the
correspondent bank in Australian dollars for the purpose of facilitating the settlement of
international transactions on behalf of the correspondent bank's customers.
12 Westpac also had non-correspondent banking relationships with Banks A and G. The identity of
these banks is set out in Confidential Annexure A.
13 At various points throughout the Relevant Period, Westpac had arrangements with each of the
correspondent banks to allow for the international transfer of funds by overseas and domestic
customers of the correspondent banks to Australian beneficiaries, as well as beneficiaries in other
jurisdictions.
14 Those arrangements varied as between the correspondent banks, but included those described
in sections B.4 and B.5 respectively below, being the Direct Model Australasian Cash
Management arrangements and off-system bank state branch (OSBSB) arrangements.
15 Westpac's correspondent banking relationships with Banks B and C were also relevant to the
LitePay product, described in section C.1.7 below.
page 5
39199251
B.4 Direct Model Australasian Cash Management arrangements
16 Throughout the Relevant Period, Westpac had in place arrangements with a number of
correspondent banks that were provided under what were known as the Australasian Cash
Management (ACM) arrangements. The ACM arrangements provided by Westpac to
correspondent banks involved varied models and offerings, variously referred to as ACM1, ACM2
and ACM3, among other names. For the purposes of these Proceeding, the key ACM
arrangements were those offered to a number of correspondent banks, including to Banks A to F,
which were known as the “Direct Model” arrangements (the Direct Model ACM arrangements)
and to Banks B and C which were known as the “Referral Model” arrangements (the Referral
Model ACM arrangements). For Banks A, C, D, E and F, the Direct Model ACM arrangements
were part of what was referred to within Westpac as the ACM1 offering, whereas the Direct Model
ACM arrangement with Bank B was referred to within Westpac as the Bank B Direct Model
Arrangement. The Referral Model ACM arrangements with Banks B and C were referred to within
Westpac as the ACM2 arrangements.
17 These Direct Model ACM arrangements varied as between the correspondent banks, but
generally allowed the correspondent banks to use Westpac’s infrastructure to process payments
for their overseas and domestic customers through Westpac's direct access to the low value
clearing network in Australia and New Zealand.
18 The functionality of the Direct Model ACM arrangements (particularly the ability to make recurring,
low value payments from across the world) meant that they were an attractive solution for
governments and corporate clients of correspondent banks. The Direct Model ACM arrangements
enabled customers (payers) of correspondent banks to make low value as well as high value
payments to multiple beneficiaries (payees) in Australia or New Zealand through a single
communication channel. The sending of structured files is generally a more efficient and lower
cost solution for government and other clients of correspondent banks than sending standard
Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment messages that
involve a single payer and a single payee.
19 Payment instructions under the Direct Model ACM arrangements were generally initiated by the
customer of the correspondent bank using the correspondent bank’s platform. The correspondent
bank then formatted the payment instructions into an agreed structured data file format (which
could include multiple instructions) and transmitted that file to Westpac. Westpac referred to
these instructions as 'batched files', 'structured data files' or 'structured files'. For the purposes of
this SAFA, they are referred to as Structured Files.
20 The majority of instructions included in Structured Files received through the Direct Model ACM
arrangements were for payments to be processed through the Direct Entry System (Direct
Entry), a domestic payments system administered by the Australian Payments Network Limited
(AusPayNet). The ACM payment channel was initially developed to facilitate government
pension payments. Over time, additional types of commercial payments were sent through this
channel by Bank A, including payment aggregator transactions (i.e., a payment aggregator in the
foreign country collecting payment instructions from multiple parties) and supplier payments (i.e.,
global companies sending multiple payments to multiple suppliers in Australia).
21 Globally, most international transfers are sent as one-to-one payments (i.e. involve a single payer
and a single payee) through the SWIFT network. These transfers must comply with the SWIFT
page 6
39199251
messaging format and SWIFT Guidelines, which outline mandated data fields. These data fields
include certain data about the ordering customer, or payer, and about the payee.
22 The Structured Files sent through the Direct Model ACM arrangements could contain multiple
payment instructions and were sent to Westpac via SWIFT FileAct, which is a secure file transfer
mechanism between correspondent banks designed and provided by SWIFT, or via a direct
HTTP or SCP connection between the correspondent bank and Westpac. These file transfer
mechanisms allow the transmission of non-SWIFT formatted content (containing less payment
information than the standard SWIFT payment messages, such as MT103 payment messages).
SWIFT FileAct was designed for, amongst other things, the transmission of payment instructions.
23 Where instructions were sent through the Direct Model ACM arrangements, once received,
Westpac loaded the Structured Files onto the Direct Entry or the Real Time Gross Settlement
(RTGS) service, after which the funds were dispersed to the beneficiaries in accordance with the
instructions contained in the Structured Files. Thereafter, the correspondent bank settled
payment for the transfer of funds contained in the Structured Files through its corporate operating
account with Westpac, save for Bank A, which settled payments for instructions in the Structured
Files through a corporate operating account held with its affiliate entity. Each of these corporate
operating accounts was a vostro account for the purposes of the AML/CTF Act and AML/CTF
Rules.
24 The Direct Model ACM arrangements involved the provision of designated services by Westpac
to customers within the meaning of section 6(1) of the AML/CTF Act.
25 The Referral Model ACM arrangements with Banks B and C generally involved a correspondent
bank referring a customer to Westpac. Westpac would open an account in the name of the
overseas customer or a related entity. Transactions on the Westpac account could be facilitated
through the correspondent bank’s platform. Similar to the Direct Model ACM arrangements, the
Referral Model ACM arrangements effected payments through Direct Entry, RTGS and Outgoing
Telegraphic Transfer (OTT).
26 The Referral Model ACM arrangements involved the provision of designated services by Westpac
to customers within the meaning of section 6(1) of the AML/CTF Act.
B.5 OSBSB arrangements
B.5.1 The OSBSB arrangement with Bank B
27 As noted above, the Direct Model ACM arrangement with Bank B was sometimes referred to as
the Bank B Direct Model arrangement, the nature and operation of which is described
immediately below.
28 The Direct Model ACM arrangement with Bank B differed from the Direct Model ACM
arrangements with Banks A, C, D, E and F in a number of respects, including that it allowed for
'outgoing' international funds transfer instructions (IFTIs) (i.e., instructions to send funds out of
Australia) as well as 'incoming' IFTIs (i.e., instructions to send funds into Australia). For the
purposes of this SAFA, the arrangement that allowed for Westpac to send outgoing IFTIs as part
of the Direct Model ACM arrangement with Bank B is called the Bank B Outgoing IFTIs
Arrangement. Further detail regarding the Bank B Outgoing IFTIs Arrangement is set out in
paragraphs 36 to 40.
29 For the Direct Model ACM arrangement with Bank B, Westpac provided Bank B with a corporate
operating account comprising of a BSB and Account number (the Bank B Settlement Account).
page 7
39199251
In addition, Westpac provided Bank B with an OSBSB and linked this OSBSB to the Bank B
Settlement Account. Westpac registered the OSBSB with AusPayNet under the name of Bank B.
The registration of the OSBSB and the name were published by AusPayNet in its BSB database.
30 In its own books, Bank B created a number of sub-accounts. These sub-accounts were then
provided with the OSBSB to Bank B's customers. Each customer had a different account number
with the same OSBSB number. The settlement of funds upon receipt of a payment were to the
Bank B Settlement Account. Each such sub-account mirrored an AUD account held by Bank B's
customer with Bank B's Singapore branch (the Singapore Account).
31 Bank B allocated each sub-account a reference number. For transfers into and out of the Bank B
Settlement Account, the reference number allocated by Bank B served as the account number
used to process the payment through the domestic Australian payment systems. The OSBSB
was registered in the name of the correspondent bank using the Westpac brand BSB range
formula and with Westpac registered as the financial institution.
32 The OSBSB allocated to Bank B permitted it to create multiple sub-accounts and allocate each
sub-account with a reference number which could be used as an account number for the
purposes of transferring money to the OSBSB account through Direct Entry. As such, Bank B
maintained customer accounts on its own ledgers using this OSBSB.
Transfer instructions out of Bank B's Singapore Account – 'inward IFTIs'
33 When a Bank B customer wished to transfer money out of their Singapore Account to an
Australian payee, they could request that transfer by giving an instruction to Bank B in Singapore.
Bank B's customer would instruct Bank B via the internet banking platform of Bank B. Bank B
aggregated instructions received from its customers and provided them to Westpac in the form of
a Structured File.
34 Westpac processed the transfer instruction through the appropriate Australian domestic payment
system (i.e. Direct Entry, RTGS or by issuing a bank cheque).
35 Processing the transfer instruction through the Australian domestic payment system resulted in
the transferred money being drawn from the Bank B Settlement Account. Bank B reduced the
balance of the Singapore Account by a corresponding amount.
Transfer instructions into Bank B's Singapore Account – the Bank B Outgoing IFTIs
Arrangement
36 As set out in paragraphs 28 to 32, the Direct Model ACM arrangement with Bank B allowed
'outgoing IFTIs', being transfers to the AUD account held by Bank B's customer with Bank B in
Singapore.
37 Money paid by a third party (i.e. a debtor of Bank B's customer) (the Bank B Customer Debtor)
into the Bank B Settlement Account using the Australian domestic payment systems could then
be transferred into the Singapore Account, via the Bank B Settlement Account. As with any bank
account, the Bank B Customer Debtor could also deposit cash or cheque into the Bank B
Settlement Account, at a Westpac branch. To make the payment, the Bank B Customer Debtor
would use the OSBSB for the Bank B Settlement Account as the BSB number and the reference
number for the sub-account.
38 Westpac reported transfers to the Bank B Settlement Account to Bank B by sending an account
statement in BAI2 Statement Format to Bank B (in Singapore). “BAI2 Statement Format” is a
page 8
39199251
standard format for account statements, to which Bank B requested minor changes for the
purposes of the Bank B Outgoing IFTIs Arrangement. That account statement included the
information required by Bank B to adjust the balance of the relevant Singapore Account to reflect
the AUD amount of the money transferred.
39 Bank B adjusted the balance of the Singapore Account to reflect transfers into the Bank B
Settlement Account that correspond to the relevant reference number. Such transfers into the
Bank B Settlement Account resulted in a balance adjustment to the corresponding Singapore
Account.
40 The OSBSB arrangements with Bank B described above involved the provision of designated
services by Westpac to customers within the meaning of section 6(1) of the AML/CTF Act. In
particular, transactions on the Bank B Settlement Accounts were designated services within the
meaning of item 3, table 1 of section 6(1) of the AML/CTF Act.
B.5.2 The OSBSB arrangement with Bank J
41 Westpac provided Bank J Sydney branch with a corporate operating account (the Bank J
Settlement Account). In addition, Westpac provided Bank J Sydney branch with an OSBSB.
This OSBSB was registered by Westpac with AusPayNet and was published within the
AusPayNet database. Bank J provided its customer with a unique account number for the
OSBSB. Bank J’s parent entity, domiciled in an overseas jurisdiction, sent payments to the Bank
J Sydney branch Settlement Account to make and receive international payments on behalf of its
customers, although, on Westpac's review, only one instance has been identified of an
international payment being made or received on behalf of Bank J Sydney branch's customers.
42 The OSBSB allocated to Bank J permitted it to create multiple sub-accounts and allocate each
sub-account with a reference number which could be used as an account number for the
purposes of transferring money to the OSBSB account through Direct Entry. Bank J maintained
customer accounts on its own ledgers using this OSBSB.
43 A third party (i.e. a debtor of Bank J's customer) (the Bank J Customer Debtor) could transfer
money from an Australian bank account into the Bank J Settlement Account, using the Australian
domestic payment systems. As with any bank account, the Bank J Customer Debtor could also
deposit cash or cheques into the Bank J Settlement Account, at a Westpac branch or IDM. For
deposits other than through ATMs, to make the payment, the Bank J Customer Debtor would use
the OSBSB for the Bank J Settlement Account as the BSB number and the reference number for
the sub-account or the Bank J Settlement Account details.
44 The OSBSB arrangements with Bank J described above involved the provision of designated
services by Westpac to customers within the meaning of section 6(1) of the AML/CTF Act. In
particular, transactions on the Bank J Settlement Account were designated services within the
meaning of item 3, table 1 of section 6(1) of the AML/CTF Act.
C. FACTS RELEVANT TO LIABILITY
C.1 IFTI Reports – Contraventions of section 45 of the AML/CTF Act
C.1.1 The relevant IFTIs
45 The admitted contraventions of section 45 of the AML/CTF Act concern certain IFTIs received or
sent by Westpac under the following arrangements.
page 9
39199251
Incoming IFTIs
(a) IFTIs received by Westpac from Banks A, B, C and D under the Direct Model ACM
arrangements (the Bank A, B, C and D Incoming IFTIs).
(b) IFTIs received by Westpac under arrangements with Ordering Institution A (the Ordering
Institution A Incoming IFTIs).
Outgoing IFTIs
(c) IFTIs sent by Westpac under the Bank B Outgoing IFTIs Arrangement (the Bank B
Outgoing IFTIs).
(d) IFTIs sent by Westpac under LitePay arrangements with Banks B, C and Q (the LitePay
Outgoing IFTIs).
IFTIs without payer names
(e) IFTIs received by Westpac from Banks A and F under the Direct Model ACM
arrangements
C.1.2 Bank A, B, C and D Incoming IFTIs
46 To the extent that Westpac was a recipient of an IFTI transmitted into Australia as described in
item 2 of the table in section 46 of the AML/CTF Act (incoming IFTI), section 45(2) of the
AML/CTF Act required Westpac, within 10 business days after the day on which the instruction
was received by it, to give the AUSTRAC CEO a report about the instruction. That report was
required, by section 45(3) of the AML/CTF Act, to be in the approved form and contain such
information relating to the matter as was specified in the AML/CTF Rules.
47 During the Relevant Period, Westpac received approximately 29.6 million incoming IFTIs.
48 The following table sets out how many incoming IFTIs Westpac received from Banks A, B, C and
D under the Direct Model ACM arrangements for the period from 5 November 2013 to 3
September 2018, and how many of these IFTIs were not reported within the required 10 business
days (the Late Bank A, B, C and D Incoming IFTIs).
Correspondent bank IFTIs received IFTIs not reported within 10
business days
Bank A 19,378,512 19,378,512
Bank B 36,251 36,251
Bank C 63,907 37
Bank D 522,084 13,239
49 The Bank A, B, C and D Incoming IFTIs were:
(a) electronic funds transfer instructions for the purposes of section 8(1) of the AML/CTF Act
in that:
(i) the customer (the payer) instructed either Bank A, B, C or D (which were banks
for the purposes of section 8(1)(c)(ii) of the AML/CTF Act) to transfer money
controlled by the payer to a third person (the payee) on the basis that the
page 10
39199251
transferred money would be made available to the payee by a beneficiary
institution in Australia (which was either an ADI, bank, building society or credit
union for the purposes of section 8(1)(d) of the AML/CTF Act); and
(ii) the transfer instructions referred to in subparagraph (i) above were passed on
wholly or partly by electronic means; and
(b) accepted at or through a permanent establishment of one of Banks A, B, C or D in a
foreign country.
50 The transferred money relating to each of the Bank A, B, C and D Incoming IFTIs was made
available to the payee at or through a permanent establishment of the beneficiary institution in
Australia.
51 By reason of the matters referred to in paragraphs 46 to 50 above, Westpac was required to give
the AUSTRAC CEO a report of each of the Bank A, B, C and D Incoming IFTIs within 10
business days after the date each of these IFTIs was received.
52 In the period from October 2018 to October 2019, Westpac gave the CEO of AUSTRAC reports
of 19,428,039 Late Bank A, B, C and D Incoming IFTIs. Each of those reports was provided later
than 10 business days after the date the IFTI was received by Westpac, as required by section
45(2) of the AML/CTF Act.
C.1.3 Reasons for failure to report: Banks A and B
53 Pursuant to the staggered implementation timeline for the requirements introduced by the
AML/CTF Act, reporting entities were required to implement IFTI reporting in accordance with the
AML/CTF Act by 12 September 2010.
1
54 In order to comply with its obligations under the AML/CTF Act, including in relation to IFTI
reporting, Westpac commenced a series of substantial projects involving changing and upgrading
the relevant Westpac systems.
55 Despite having intended to report IFTIs for both Bank A and Bank B from late 2011, this did not
happen. From late 2011 Westpac proceeded on the misapprehension that the project to report
IFTIs received as Structured Files (the Structured Files IFTI Implementation) had been
successful, with IFTIs being reported for Bank A and Bank B.
56 As set out in paragraphs 57 to 67 below, the failure to commence reporting IFTIs for the Direct
Model ACM arrangements with Banks A and B was caused by a number of factors, including
technological failures, uncertainty as to which Direct Model ACM arrangements were in scope for
which Norkom Release (described further in paragraphs 64 to 66 below), insufficient post
implementation review to confirm that all arrangements the subject of the Structured Files IFTI
Implementation resulted in IFTIs being reported and an absence of appropriate end-to-end
reconciliation, assurance and oversight processes for IFTI reporting.
57 In order successfully to report Structured File IFTIs to the AUSTRAC CEO, various computer
systems within Westpac, including the Qvalent, Westpac Integrated Banking System (WIBS),
Sterling Integrator and Norkom/Detica systems, needed to be properly configured, as described
immediately below.
1
The extension of the IFTI reporting requirement for reporting entities to 12 September 2010 followed the identification of issues by
AUSTRAC during the transition testing phase, during which time it worked closely with the major reporting entities, including
Westpac.
page 11
39199251
58 Qvalent and WIBS are systems through which Westpac receives payment instruction files from
correspondent banks. Structured Files received from Bank A were received through Qvalent and
passed to WIBS for processing. Structured Files received from Bank B were received through
WIBS, not Qvalent.
59 WIBS was a Westpac system that enabled customers to connect to Westpac using a variety of
different connectivity methods (SWIFT FileAct, SFTP, FTP, HTTPS and XCOM) to send and
receive data, including instructions relating to transfers into and out of the customer’s account
and account statements. The files received by WIBS were processed within WIBS according to a
configuration that was set in accordance with the arrangement with each Westpac customer.
This configuration determined if the files required transformation (from one format to another),
which payment system they should be passed to for processing, and any other customer-specific
processing rules. WIBS connectivity solutions were used by each correspondent bank using the
Direct Model ACM arrangements, including Banks A and B. Structured Files received through
WIBS were then passed to other systems to effect payment and file necessary regulatory reports
(including IFTIs).
60 Sterling Integrator was an intermediate system that transferred files between systems within
Westpac.
61 Norkom (subsequently called Detica) was Westpac's financial crime detection, case management
and regulatory reporting information technology system, developed by Norkom and provided by
vendor BAE Systems. The Detica system was used as the primary tool for customer screening
(in respect of terrorism financing, sanctions and politically exposed person lists), customer risk
assessments, sanctions payments screening and transaction monitoring alert workflow and case
management, as well as facilitating the reporting of suspicious matters, threshold transactions
and IFTIs.
62 Where all systems were properly configured, Structured Files were received by Westpac via
WIBS, converted to an IFTI reporting format, passed to Norkom/Detica using Sterling Integrator
and then processed into an IFTI report in the specified format to be uploaded to AUSTRAC.
63 Over the course of the projects referred to in paragraph 54 above, it became evident to Westpac
that particular issues were associated with reporting IFTIs for the Structured Files, and that
Westpac would not meet the 12 September 2010 timeframe (or subsequently agreed timeframes)
for the completion of the Structured Files IFTI Implementation (including for those IFTIs received
through the ACM arrangements in place with correspondent banks). Westpac was in regular
correspondence with AUSTRAC in late 2010 and early 2011 regarding the timing of the
Structured Files IFTI Implementation.
64 Following engagement with AUSTRAC with respect to the delay, Westpac commenced reporting
IFTIs received in Structured Files pursuant to a series of “Norkom Releases”.
65 The relevant “Norkom Releases” were as follows:
(a) In November 2010, pursuant to the November 2010 Norkom Release, Westpac
commenced reporting IFTIs received through the SWIFT network. This reporting did not
include Structured Files.
(b) Reporting of Structured Files was intended to commence in March 2011. However, due
to technical errors identified in the testing process, the reporting of IFTIs for Structured
page 12
39199251
Files received through Westpac's ACM arrangements was rescheduled to August 2011,
to be effected by the August 2011 Norkom Release.
(c) Before the August 2011 Norkom Release, in July 2011, Westpac implemented a process
known as the “July 2011 WIBS ‘go live’”. The “July 2011 WIBS ‘go live'” process aimed to
enable the reporting of IFTIs received through the ACM arrangements. However, to
result in IFTIs being reported, the changes to be implemented by the “July 2011 WIBS ‘go
live’” process required the implementation of an IFTI converter correctly configured for the
Structured File formats used by each of the correspondent banks. That in turn required
the correct configuration of WIBS, the Sterling Integrator and Detica. In particular:
(i) WIBS would receive and process Structured Files before passing them to other
systems to effect payment and file necessary regulatory reports (including IFTI
reports). The implementation and correct configuration of an IFTI converter was
an essential part of the process. These IFTI converters read the data contained
in each Structured File and converted the data in each of the Structured Files into
the format required by the Detica system. A separate IFTI converter was
required for each ACM arrangement to reflect the differences in the Structured
Files received. Those IFTI converters then placed a copy of the reformatted IFTI
data in a dedicated “IFTI directory” within WIBS; and
(ii) only if the IFTI data was correctly configured could the Sterling Integrator transfer
this data to the Detica system to enable it to be reported to AUSTRAC in the
necessary IFTI reports.
As part of the "July 2011 WIBS 'go live'", IFTI converters were implemented and correctly
configured for a number of correspondent banks which were at that time using the Direct
Model ACM arrangements (including Banks D, E and F). This led to the IFTIs being
reported for these correspondent banks following the August 2011 Norkom Release.
(d) A further release occurred in November 2011 (the November 2011 Norkom Release).
66 The non-reporting of IFTIs for the Direct Model ACM arrangements with Banks A and B was
caused by a number of factors, including technological failures and uncertainty as to which Direct
Model ACM arrangements were in scope for which Norkom Release, and insufficient post
implementation review to confirm that all arrangements the subject of the Structured Files IFTI
Implementation resulted in IFTIs being reported. The following factors are likely to have caused or
contributed to the issue of IFTI reporting for the Direct Model ACM arrangements with Banks A
and B not commencing in 2011:
(a) Each of the Bank A and Bank B arrangements was included as either in or out of scope
for particular Norkom Releases (as distinct from being out of scope entirely or not
mentioned at all), and at least some work was undertaken towards reporting IFTIs for
these arrangements.
(b) There was some uncertainty regarding whether Bank A was in scope for the August 2011
Norkom Release. Ultimately, however, it appears not to have been included within scope.
Notwithstanding this, following the August 2011 Norkom Release, relevant personnel
within Westpac at the time incorrectly understood that the IFTI reporting in relation to
Bank A had in fact commenced and that thereafter the only item in the Structured Files
implementation process remaining was to ensure that Bank B was in fact included in the
November 2011 Norkom Release.
page 13
39199251
(c) Bank B was in scope for the November 2011 Norkom Release, following which relevant
personnel within Westpac incorrectly understood that the IFTI reporting in relation to
Bank B had in fact commenced.
(d) Between August 2011 and August 2012, approximately fifteen members of the WIBS
team left Westpac to work for ANZ, which may have contributed to a loss of corporate
knowledge of the complexity of the relevant arrangements and to an insufficient post-
implementation process to verify that incoming IFTIs for Banks A and B were being
reported to AUSTRAC.
67 Westpac did not have appropriate end-to-end reconciliation, assurance and oversight processes
in place to identify the ongoing IFTI reporting failures relating to the Direct Model ACM
arrangements with Banks A and B.
68 The issues surrounding Westpac not identifying the Bank A and Bank B IFTI non-reporting and
bringing it to the attention of senior management until around mid-2018 are set out in section
E.1.1, commencing at paragraph 318 below.
C.1.4 Reasons for failure to report: Banks C and D
69 As set out in paragraph 48 above, over 99.9% of the IFTIs received from Bank C and over 97% of
the IFTIs received from Bank D between 5 November 2013 and 3 September 2018 were reported
to AUSTRAC within 10 business days of Westpac receiving the relevant IFTI. This is because,
unlike for Bank A and Bank B, IFTI reporting commenced for the Direct Model ACM
arrangements:
(a) with Bank C: upon the commencement of the Direct Model ACM arrangement with Bank
C in 2016; and
(b) with Bank D: in 2011 (as part of the August 2011 Norkom Release).
70 Once the Group MLRO became aware of the IFTI non-reporting for the Direct Model ACM
arrangements with Bank A and Bank B in or around May 2018 (as detailed in section E.1.1
below), Westpac commenced an extensive reconciliation and validation exercise (involving
KPMG) in relation to IFTI reporting for the ACM arrangements with a number of correspondent
banks, including Banks C and D (the IFTI Reconciliation and Verification Project).
71 Through the IFTI Reconciliation and Verification Project, Westpac identified and promptly
informed AUSTRAC that it had identified isolated instances of non-reporting for some other
arrangements, including the Direct Model ACM arrangements with Banks C and D. The reasons
for these isolated instances of non-reporting are set out below.
Bank C
72 The reason for the non-reporting of 37 incoming IFTIs for Bank C (which related to six Structured
Files) in accordance with section 45(2) of the AML/CTF Act was a programming error in the core
scheduling engine at Qvalent, which prevented the IFTI reporting process from running to
completion on non-banking days, and also for Structured Files received on non-banking days.
This issue was not identified at the time as affecting the IFTI reporting process. The
programming error affected reporting for six Structured Files received from Bank C between
March and December 2017.
page 14
39199251
73 Westpac did not have appropriate end-to-end reconciliation, assurance and oversight processes
in place to identify the IFTI reporting failures relating to the Direct Model ACM arrangements with
Bank C.
74 The non-reporting of the incoming IFTIs for Bank C was first identified on 27 August 2018 as part
of the IFTI Reconciliation and Verification Project and was disclosed to AUSTRAC on 17 October
2018. The non-reported IFTIs were provided to AUSTRAC on 22 October 2018.
Bank D
75 The reasons for to the non-reporting of 13,239 incoming IFTIs for Bank D (which related to 25
Structured Files) in accordance with section 45(2) of the AML/CTF Act were as follows:
(a) For 24 of the 25 Structured Files, the non-reporting was due to the same programming
error in the core scheduling engine at Qvalent described at paragraph 72 above, which
affected reporting for 24 Structured Files received from Bank D between October 2017
and January 2018.
(b) For the remaining Structured File (received on 15 December 2014), Westpac has been
unable to identify the root cause of the non-reporting. System logs indicate that there was
a delay in the generation of overnight IFTI reporting files, which led to those files being
supplied from WIBS to the Detica system after midnight. This delay resulted in two sets of
IFTI files being received by Detica on the same date. This may have caused the non-
reporting of the IFTIs received on 15 December 2014.
76 Westpac did not have appropriate end-to-end reconciliation, assurance and oversight processes
in place to identify the IFTI reporting failures relating to the Direct Model ACM arrangements with
Bank D.
77 The non-reporting of the incoming IFTIs for Bank D was first identified by Westpac on 27 August
2018 as part of the IFTI Reconciliation and Verification Project and was disclosed to AUSTRAC
on 17 October 2018. The non-reported IFTIs were provided to AUSTRAC between 22 October
and 21 November 2018.
C.1.5 Ordering Institution A Incoming IFTIs
78 In addition to its relationships with the correspondent banks described above, since 1 October
2016 Westpac had an arrangement with Ordering Institution A, the identity of which is set out in
Confidential Annexure A to this SAFA. Ordering Institution A was an ordering institution for the
purposes of section 8 of the AML/CTF Act. The arrangement between Westpac and Ordering
Institution A allowed for the transfer of international payments by overseas customers of Ordering
Institution A to Australian beneficiaries.
79 Westpac’s relationship with Ordering Institution A arose out of its relationship with X Corporation
(the identity of which is also set out in Confidential Annexure A to this SAFA), which
commenced on 16 November 2011. X Corporation was acquired by Ordering Institution A with
the transaction completing on 12 November 2015. The relevant arrangement with Ordering
Institution A commenced on 1 October 2016.
80 Through that arrangement:
(a) overseas customers of Ordering Institution A initiated requests for payment instructions
through an application or desktop interface;
page 15
39199251
(b) Ordering Institution A received those payment instructions in the United States of
America;
(c) Ordering Institution A sent those instructions to Westpac via a direct Secure File Transfer
Protocol (SFTP) connection in a Structured File;
(d) Westpac processed those payment instructions to Australian beneficiary accounts; and
(e) the transfers within the domestic Australian payment system were funded from an
account held by Ordering Institution A with Westpac. Ordering Institution A funded that
account by transfers from its bank account in a foreign country. That transfer was
processed by means of a SWIFT message sent from Ordering Institution A’s foreign
bank.
81 At the time Westpac originally entered into the relevant arrangements with X Corporation on 16
November 2011, X Corporation was not a class of person that was an ordering institution within
the meaning of section 8 or 9 of the AML/CTF Act. To the extent that the arrangements with X
Corporation involved electronic funds transfer instructions, the first person in the funds transfer
chain that was an ordering institution was always Westpac and Westpac accepted the instruction
in Australia (such that the electronic funds transfers were not IFTIs within the meaning of item 4
of the table in section 46 of the AML/CTF Act because the money was made available to the
payee by being credited to an account with an Australian bank).
82 Following Ordering Institution A’s acquisition of X Corporation, from 1 October 2016 Ordering
Institution A replaced X Corporation as the entity from which Westpac received instructions under
the arrangement. The replacement of X Corporation with Ordering Institution A had a
consequential impact on Westpac’s IFTI reporting obligations in respect of the arrangement.
However, Westpac’s control environment at the time, including its end-to-end reconciliation
processes, did not detect this change to its incoming IFTI reporting obligations having regard to
Ordering Institution A’s acquisition of X Corporation. Ordering Institution A’s acquisition of X
Corporation did not trigger a review of Westpac's anti-money laundering and counter-terrorism
financing (AML/CTF) reporting obligations in relation to the arrangement.
83 In September 2018, Westpac commenced a detailed analysis of international payment flows
involving Westpac’s financial institution clients outside its ACM arrangements to determine
whether reportable IFTIs were not, in fact, being reported. In November 2018, as part of that
analysis, Westpac formed the view that it should commence reporting IFTIs in respect of its
arrangement with Ordering Institution A. This change in view was reported to senior
management, including the General Manager of Global Transaction Services, in November 2018.
Westpac informed AUSTRAC of this change in approach on 21 November 2018.
84 From October 2016 to 19 November 2018, Westpac was the recipient of 61,717 incoming IFTIs
under the Ordering Institution A arrangements described above, totalling approximately
$101,333,384. Those incoming IFTIs were:
(a) electronic funds transfer instructions for the purposes of section 8(1) of the AML/CTF Act
in that:
(i) the customer of Ordering Institution A (the payer) instructed Ordering Institution A
to transfer money controlled by the payer to a third person (the payee) on the
basis that the transferred money would be made available to the payee by a
page 16
39199251
beneficiary institution (which was either an ADI, bank, building society or credit
union for the purposes of section 8(1)(d) of the AML/CTF Act); and
(ii) the transfer instructions referred to in subparagraph (i) above were passed on
wholly or partly by electronic means; and
(b) accepted at or through a permanent establishment of Ordering Institution A in a foreign
country.
85 The transferred money relating to each incoming IFTI referred to in paragraph 84 above was
made available to the payee at or through a permanent establishment of the beneficiary institution
in Australia.
86 By reason of the matters referred to in paragraphs 46 and 78 to 85 above, Westpac was required
to give AUSTRAC a report of each of the incoming IFTIs referred to in paragraph 84 above within
10 business days after the date each incoming IFTI was received.
87 In the period from 27 May 2019 to 20 September 2019, Westpac gave AUSTRAC a report of
each incoming IFTI referred to in paragraph 84 above. The 61,717 reports were provided later
than 10 business days after the incoming IFTIs’ receipt by Westpac as required by section 45(2)
of the AML/CTF Act.
C.1.6 Bank B Outgoing IFTIs
88 To the extent that Westpac was the sender of an IFTI transmitted out of Australia as described in
item 1 of the table in section 46 of the AML/CTF Act (outgoing IFTI), section 45(2) of the
AML/CTF Act required Westpac, within 10 business days after the day on which the instruction
was sent by it, to give the AUSTRAC CEO a report about the instruction. That report was
required by section 45(3) of the AML/CTF Act to be in the approved form and contain such
information relating to the matter as was specified in the AML/CTF Rules.
89 During the Relevant Period, Westpac was the sender of 10,771 Bank B Outgoing IFTIs totalling
$707,409,296, which was part of the Direct Model ACM arrangements that were in place with
Bank B. Those outgoing IFTIs were:
(a) electronic funds transfer instructions for the purposes of section 8(1) of the AML/CTF Act
in that:
(i) the customer (the payer) instructed Westpac (the ordering institution, and an ADI
for the purposes of section 8(1)(c)(i) of the AML/CTF Act) to transfer money
controlled by the payer to a third person (the payee) on the basis that the
transferred money would be made available to the payee by Bank B (the
beneficiary institution, and a bank for the purposes of section 8(1)(d)(ii) of the
AML/CTF Act); and
(ii) the transfer instructions referred to in subparagraph (i) were passed on wholly or
partly by electronic means; and
(b) accepted at or through a permanent establishment of Westpac in Australia.
90 The transferred money relating to each outgoing IFTI identified at paragraph 89 above was made
available to the payee at or through a permanent establishment of Bank B in a foreign country.
page 17
39199251
91 By reason of the matters referred to in paragraphs 88 to 90 above, Westpac was required to give
AUSTRAC a report of each outgoing IFTI referred to in paragraph 89 above within 10 business
days after the date each outgoing IFTI was sent.
92 On 4 October 2019, Westpac gave AUSTRAC reports of each outgoing IFTI referred to in
paragraph 89 above. The 10,771 reports were not provided within 10 business days of Westpac
sending the outgoing IFTIs, as required by section 45(2) of the AML/CTF Act.
93 The reason that the outgoing IFTIs for Bank B were not reported to AUSTRAC in accordance with
section 45(2) of the AML/CTF Act was that before November 2018, Westpac held the mistaken
view that there was no relevant “instruction” to Bank B. This is because the arrangement
involved Westpac reporting transfers to the Bank B Settlement Account to Bank B by sending a
BAI2 Statement Format account statement to Bank B, details of which are set out in paragraph 38
above. Prior to November 2018, Westpac’s view was that the statements in BAI2 Statement
Format were account statements, and did not constitute “instructions”. Westpac did not have
appropriate processes in place to identify and correct this mistaken view. Further detail regarding
the reasons that the outgoing IFTIs for Bank B were not reported to AUSTRAC is set out in
section E.1.1 below.
94 However, during the course of Project 106 (a Westpac project established in August 2018 to
ascertain the scale of IFTI non-reporting in respect of the Direct Model ACM arrangements,
address that non-reporting and ensure that IFTIs were reported for these arrangements moving
forward), the Project 106 team reviewed the Bank B Outgoing IFTIs and formed the view that they
should be reported as outgoing IFTIs, which commenced after Westpac reported the matter to
AUSTRAC on 21 November 2018.
C.1.7 LitePay Outgoing IFTIs
95 Between August 2016 and November 2019, Westpac offered its customers a product known as
LitePay, which facilitated overseas transfers of up to $3,000 to the European Union, Great Britain,
India and the Philippines (with arrangements for different jurisdictions commencing at different
points from August 2016 onwards).
96 To facilitate payments to the European Union, Great Britain, India and the Philippines, Westpac
had arrangements in place with Banks B, C and Q through which those correspondent banks
could receive international funds transfers of up to $3,000 from Westpac accounts via LitePay,
following which they would initiate payment instructions to the beneficiary banks in the relevant
overseas countries.
97 The SWIFT network was used for LitePay international payment instructions to the European
Union, Great Britain and India. LitePay payments to the Philippines were sent via an application
programming interface (API) connection. The API allowed for direct connectivity from Westpac to
Bank Q for the sending of payment instructions from Westpac and not via the SWIFT network.
Bank Q processed instructions received via an API through the domestic Philippines payment
system.
98 The arrangements described in paragraphs 95 to 97 above involved the provision of designated
services by Westpac to customers within the meaning of section 6(1) of the AML/CTF Act.
99 Westpac advised AUSTRAC that between August 2016 and November 2019 it was the sender of
approximately 215,320 LitePay Outgoing IFTIs under arrangements with Banks B, C and Q,
totalling $202,625,872. The LitePay Outgoing IFTIs were:
page 18
39199251
(a) electronic funds transfer instructions for the purposes of section 8(1) of the AML/CTF Act
in that:
(i) the customer (the payer) instructed Westpac (the ordering institution, and an ADI
for the purposes of section 8(1)(c)(i) of the AML/CTF Act) to transfer money
controlled by the payer to a third person (the payee) on the basis that the
transferred money would be made available to the payee by Bank B, C or Q or
another financial institution (the beneficiary institutions, and banks for the
purposes of section 8(1)(d)(ii) of the AML/CTF Act); and
(ii) the transfer instructions referred to in subparagraph (i) were passed on wholly or
partly by electronic means; and
(b) accepted at or through a permanent establishment of Westpac in Australia.
100 The transferred money relating to each of the LitePay Outgoing IFTIs was made available to the
payee at or through a permanent establishment of Bank B, C or Q or another financial institution
in a foreign country.
101 By reason of the matters referred to in paragraphs 95 to 100 above, Westpac was required to
give AUSTRAC a report of each outgoing IFTI referred to in paragraph 99 above within 10
business days after the date each LitePay Outgoing IFTI was sent.
102 Of the 215,320 LitePay Outgoing IFTIs, Westpac did not report 2,314 IFTIs within 10 business
days of the sending the IFTI, as required by section 45(2) of the AML/CTF Act, due to a lack of
appropriate end-to-end reconciliation, assurance and oversight processes.
103 On 25 November 2019, Westpac gave AUSTRAC reports of each of these 2,314 LitePay
Outgoing IFTIs.
104 As set out in paragraphs 105 to 107, there were several reasons for the non-reporting of 2,314
LitePay Outgoing IFTIs in accordance with section 45(2) of the AML/CTF Act.
105 In May 2017, a technical issue affected the database replication within the LitePay payment
system (Global Payplus Services Platform (GPP-SP)). Database replication was a necessary
step to ensure that the GPP-SP system passed instructions on to the Detica system. As a result
of this technical issue, 1,030 LitePay Outgoing IFTIs were not passed from the GPP-SP system
to the Detica system. This, in turn, meant that those LitePay Outgoing IFTIs were not reported to
AUSTRAC.
106 In November 2018, a technical issue following the implementation of a SWIFT Standards Release
affected payment processing in the GPP-SP system. As a result of this issue, support teams had
to manually intervene in the process to set the payment status of each LitePay Outgoing IFTI to
'complete'. That manual intervention prevented an automated process from completing for 828
affected IFTIs, which meant that those IFTIs were not passed from the GPP-SP system to the
Detica system. This, in turn, meant that the 828 affected LitePay Outgoing IFTIs were not
reported to AUSTRAC.
107 Between February 2017 and June 2019, a further 456 LitePay Outgoing IFTIs were not-reported
due to a number of separate and isolated technology-related factors.
108 Westpac did not have appropriate end-to-end reconciliation, assurance and oversight processes
in place to identify the IFTI reporting failures relating to the LitePay Outgoing IFTIs.
page 19
39199251
109 The non-reporting of certain LitePay Outgoing IFTIs was first identified by Westpac in July 2019
when the monthly reconciliation process detected a small number of breaks in the reporting of
LitePay IFTIs. Westpac initiated a complete lookback reconciliation process in relation to LitePay
IFTI reporting and disclosed the non-reporting to AUSTRAC on 29 October 2019. The 2,314
LitePay Outgoing IFTIs referred to above were reported to AUSTRAC on 25 November 2019.
C.1.8 IFTIs without payer name
110 From 13 October 2014 to 1 November 2018 Westpac was the recipient of:
(a) 75,069 IFTIs transmitted into Australia by Bank F within the meaning of item 2 of the table
in section 46 of the Act, totalling $82,247,485; and
(b) 1,075 IFTIs transmitted into Australia by Bank A within the meaning of item 2 of the table
in section 46 of the Act, totalling $484,014,
in respect of which Westpac did not include the name of the payer in its reports to AUSTRAC, as
described in the paragraphs immediately below.
111 Section 45(2) of the AML/CTF Act required Westpac to give the AUSTRAC CEO a report of each
of these instructions within 10 business days after the date the instruction was received. In
purported compliance with this requirement, Westpac gave the AUSTRAC CEO an IFTI report
within 10 business days after receiving each instruction.
112 However, a report under section 45(2) of the AML/CTF Act must contain such information relating
to the matter as is specified in the AML/CTF Rules: section 45(3)(b). Paragraph 16.3(1) of the
AML/CTF Rules required each report given to the AUSTRAC CEO under section 45(2) of the
AML/CTF Act about an instruction within the meaning of item 2 of the table in section 46 of the
Act to contain the name of the payer. ‘Payer’ was relevantly defined in section 5 and 8(1)(a) of the
AML/CTF Act.
113 Contrary to section 45(3)(b) of the AML/CTF Act and paragraph 16.3(1) of the AML/CTF Rules,
each of the reports relating to each instruction identified at paragraph 110 did not contain the
name of the payer:
(a) In relation to 73,777 of the Bank F instructions - in place of the name of the payer, each
of the reports contained the words ‘payer name not supplied by ordering institution’ in the
‘OC Payer’ field;
(b) In relation to 1,292 of the Bank F instructions - in place of the name of the payer, the ‘OC
Payer’ field was left blank.
(c) In relation to each of the 1,075 instructions from Bank A, in place of the name of the
payer, each of the reports contained a series of numbers and/or letters in the ‘OC Payer’
field.
114 By reason of the matters at paragraph 113, Westpac did not give the AUSTRAC CEO a report
about each of the instructions identified at paragraph 110 in accordance with section 45(2) of the
AML/CTF Act. Westpac accordingly contravened section 45(2) of the AML/CTF Act on 76,144
occasions.
115 Westpac did not have appropriate end-to-end reconciliation, assurance and oversight processes
in place to identify the absence of the payer name in these IFTIs.
page 20
39199251
C.2 Information about the origin of the transferred money – contraventions of Part 5 of the
AML/CTF Act
C.2.1 The required transfer information – contraventions of section 64(7)(f) of the
AML/CTF Act
116 Among other things, section 64 of the AML/CTF Act imposes obligations regarding the
information about the origin of funds that institutions in a funds transfer chain are required to
include in instructions they send to the next institution in the funds transfer chain.
117 The obligations that are imposed on:
(a) each person (if any) interposed between the ordering institution and the beneficiary
institution (the interposed institution) are set out in section 64(7) of the AML/CTF Act;
and
(b) ordering institutions are set out in section 64(6) of the AML/CTF Act.
118 For the reasons set out in this part C.2.1 and C.2.2 below, respectively, Westpac breached each
of these requirements in respect of the Bank B Outgoing IFTIs Arrangement.
119 At all material times, under section 64(2) of the AML/CTF Act, the following persons
(institutions) were taken to form a funds transfer chain in respect of a multiple-institution person-
to-person electronic funds transfer instruction or a multiple-institution same-person electronic
funds transfer instruction:
(a) the ordering institution;
(b) the interposed institution; and
(c) the beneficiary institution.
120 At all material times, under section 64(7)(f) of the AML/CTF Act, if:
(a) an institution is in the funds transfer chain;
(b) the institution is an interposed institution and the transfer instruction is passed on to the
interposed institution at or through a permanent establishment in Australia;
(c) the transfer instruction is accepted by the ordering institution at or through a permanent
establishment of the ordering institution in Australia; and
(d) some or all of the required transfer information was passed on to the institution by
another institution in the funds transfer chain,
then, before passing on the transfer instruction to another institution in the chain, the interposed
institution was required to ensure that the instruction included so much of the required transfer
information (as defined in section 70 of the AML/CTF Act) as was passed on to the interposed
institution as mentioned in subparagraph (d) above.
121 In the period from 1 January 2014 to 3 February 2019, under the Direct Model ACM
arrangements that Westpac had in place with Bank B, Westpac was an interposed institution in
relation to 8,140 IFTIs (contained within 1,280 BAI2 Statement Format account statements)
transmitted outside of Australia within the meaning of item 1 of the table in section 46 of the
AML/CTF Act, totalling $601,568,069. Each of those instructions:
(a) was a multiple-institution person-to-person electronic funds transfer instruction or a
multiple-institution same-person electronic funds transfer instruction in which Westpac
page 21
39199251
was an interposed institution in the funds transfer chain that was passed on to Westpac
at or through its permanent establishment in Australia; and
(b) was accepted by the ordering institution at or through a permanent establishment of the
ordering institution in Australia.
122 When Westpac received each of the instructions referred to in paragraph 121 above as an
interposed institution, some or all of the required transfer information was passed on to Westpac
by another institution in the funds transfer chain.
123 When Westpac sent each of the instructions referred to in paragraph 121 above to another
institution in the funds transfer chain, being Bank B, Westpac did not include in the instruction so
much of the required transfer information as it had been given as referred to in paragraph 120
above. The Bank B Outgoing IFTI Arrangements involved Westpac reporting transfers to the
Bank B settlement Account to Bank B by sending an account statement in BAI2 Statement
Format to Bank B. As noted at paragraph 38 above, BAI2 Statement Format is a standard format
used for account statements. While Westpac included certain information in the BAI2 statements
(including remitter name, lodgement reference, beneficiary account number, amount, date and a
unique reference number assigned by Westpac), it did not include the payer account number,
which is not a standard data field on bank statements, but is required transfer information (as
defined in section 70 of the AML/CTF Act).
124 By reason of the matters referred to in paragraphs 121 to 123 above, Westpac did not provide the
requisite information in respect of 8,140 transactions, as required by section 64(7)(f) of the
AML/CTF Act.
125 The reason Westpac did not include in the instructions the payer account number as referred to in
paragraph 123 above was that, prior to November 2018, Westpac’s mistaken view was that the
statements in BAI2 Statement Format were account statements, and did not constitute
“instructions”. On this basis, Westpac did not consider that the BAI2 statements were subject to
the obligations in section 64(7)(f) of the AML/CTF Act. Westpac did not have appropriate
processes in place to identify and correct this mistaken view. However, as noted at paragraph 94
above, during the course of Project 106, the Project 106 team reviewed Direct Model ACM
arrangements that Westpac had in place with Bank B and formed the view in November 2018 that
they did involve “instructions” for the purposes of section 64(7)(f) of the AML/CTF Act. On 22
November 2018, Westpac confirmed to AUSTRAC that it would commence reporting IFTIs for
this arrangement.
C.2.2 The required transfer information – contraventions of section 64(6) of the AML/CTF
Act
126 At all material times, under section 64(6) of the AML/CTF Act, if (in respect of a multiple-institution
person-to-person electronic funds transfer instruction or a multiple-institution same-person
electronic funds transfer instruction):
(a) the ordering institution was in the funds transfer chain; and
(b) the transfer instruction was accepted by the ordering institution at or through a permanent
establishment of the ordering institution in Australia,
then, before the ordering institution passed on the transfer instruction to another person in the
chain, the ordering institution was required to ensure that the instruction included the required
transfer information (as defined in section 70 of the AML/CTF Act).
page 22
39199251
127 In the period 1 January 2014 to 3 February 2019, under the Direct Model ACM arrangements that
Westpac had in place with Bank B, Westpac was the ordering institution in relation to 2,400 IFTIs
(contained within 1073 BAI2 Statement Format account statements) transmitted out of Australia
within the meaning of item 1 of the table in section 46 of the AML/CTF Act, totalling $92,891,622.
Each of those instructions:
(a) was part of a multiple-institution person-to-person electronic funds transfer instruction or
a multiple-institution same-person electronic funds transfer instruction in which Westpac
was the ordering institution in the funds transfer chain; and
(b) was accepted by Westpac as the ordering institution at or through its permanent
establishment in Australia.
128 When Westpac (as ordering institution) accepted each of the instructions referred to in paragraph
127 above, Westpac obtained the complete payer information (as defined in section 71 of the
AML/CTF Act).
129 In respect of each instruction referred to in paragraph 127 above, before passing it on to another
institution in the funds transfer chain, Westpac did not include the required transfer information in
the instruction, as required by section 64(6) of the AML/CTF Act. As noted at paragraph 123
above, the Bank B Outgoing IFTIs Arrangements involved Westpac reporting transfers to the
Bank B Settlement Account to Bank B by sending an account statement in BAI2 Statement
Format to Bank B. While Westpac included certain information in the BAI2 Statement Format
account statements (including remitter name, lodgement reference, beneficiary account number,
amount, date and a unique reference number assigned by Westpac), it did not include the payer
account number, which is not a standard data field on bank statements, but is required transfer
information (as defined in section 70 of the AML/CTF Act).
130 The reason why Westpac did not include in the instructions the payer account number as referred
to in paragraph 128 above was the same reason referred to in paragraph 125 above. The cause
of the failure to include that required transfer information in the BAI2 Statement Format account
statements was the same cause referred to in paragraph 125 above.
C.3 Making and retaining records – contraventions of section 115 of the AML/CTF Act
131 The Direct Model ACM arrangements with Bank A (the Bank A arrangements) involved Bank A
passing on to Westpac multiple-institution person-to-person electronic funds transfer instructions
to which section 64 of the AML/CTF Act applied. Westpac retained all records that it was required
to retain in respect of most of these transfer instructions received from Bank A under the Bank A
Arrangements. However, during the period 15 March 2011 to 1 July 2016 Westpac failed to retain
for the necessary period one required component in relation to 3,516,238 transfer instructions
passed on to Westpac by Bank A (Relevant Transfer Instructions), in relation to which:
(a) Bank A was the ordering institution in the funds transfer chain;
(b) Westpac was the interposed institution in the funds transfer chain;
(c) Westpac passed on the transfer instruction, at or through a permanent establishment in
Australia, to another financial institution in the funds transfer chain;
(d) the transferred money was made available at or through a permanent establishment of
the beneficiary institution in Australia;
page 23
39199251
(e) Bank A passed on to Westpac some or all of the required transfer information (as defined
in section 70 of the AML/CTF Act) (required transfer information) to Westpac;
(f) the transfer instruction was accepted by Bank A at or through a permanent establishment
in foreign country; and
(g) the transfer instruction was passed on to Westpac by a permanent establishment of Bank
A in a foreign country.
132 The Relevant Transfer Instructions were in respect of 325 Structured Files received by Westpac
on the following dates between 15 March 2011 to 1 July 2016:
(a) 15 March 2011 to 3 October 2012 (318 Structured Files and 3,367,453 transfer
instructions);
(b) 1 April 2015 (1 Structured File and 16,921 transfer instructions);
(c) 1 July 2015 to 2 July 2015 (2 Structured Files and 38,862 transfer instructions);
(d) 1 October 2015 and 2 October 2015 (2 Structured Files and 30,237 transfer instructions);
(e) 1 April 2016 (1 Structured File and 27,220 transfer instructions); and
(f) 1 July 2016 (1 Structured File and 35,545 transfer instructions).
133 By reason of the matters referred to in paragraphs 131 to 132 above, Westpac was required, by
section 115(2) of the AML/CTF Act and in respect of each of the Relevant Transfer Instructions,
to:
(a) make a record of so much of the required transfer information as was passed on to
Westpac as mentioned in subparagraph 131(e) above; and
(b) retain that record, or a copy of that record, for 7 years after the transfer instruction was
passed on to Westpac.
134 In respect of each of the Relevant Transfer Instructions, while Westpac made a record of so
much of the required transfer information (as defined in section 70 of the AML/CTF Act) as was
passed on to Westpac as mentioned in subparagraph 131(e) above, it did not retain a record of
all of this information for 7 years after the transfer instructions were received by Westpac. The
one record that Westpac did not retain for 7 years was a record of the unique reference number
that was passed onto it by Bank A. That unique reference number was provided to Bank A's
customer by Bank A as a reference number for the transaction. It was important for Westpac to
retain a record of Bank A's unique reference number for each transaction because it enabled the
origin of funds to be traced efficiently and quickly, if required by AUSTRAC or law enforcement.
135 Westpac retained a record of all other information passed onto it by Bank A in relation to the
Relevant Transfer Instructions, including:
(a) Beneficiary BSB
(b) Beneficiary Account Number
(c) Amount
(d) Beneficiary Name
(e) Lodgement Reference
(f) Name of Remitter.
page 24
39199251
136 By reason of the matters referred to in paragraphs 131 to 134 above, Westpac contravened
section 115(2) on 3,516,238 occasions.
137 The reasons Westpac did not retain the records referred to in paragraph 134 above are as
follows:
(a) as noted at paragraph 58 above, Qvalent and WIBS are systems through which Westpac
receives payment instruction files from correspondent banks. Structured Files received
from Bank A were received through Qvalent and passed to WIBS for processing;
(b) at all relevant times, both Qvalent and WIBS included backup systems that retained a
record of the original transfer instructions received from Bank A;
(c) in relation to the 3,367,453 transfer instructions referred to in subparagraph 132(a)
above:
(i) records of the original instructions were not retained for a period of 7 years in the
Qvalent backup system as a result of a change in the backup system around the
end of 2012, which led to the relevant transfer instructions from Bank A that were
stored in the old backup system being lost; and
(ii) records of the original instructions were not retained for a period of 7 years in the
WIBS backup system as a result of the manual tape backup process that was in
place for that system prior to November 2014. This backup tape process relied on
manual action by the infrastructure operations team and involved the physical
removal and replacement of magnetic tapes when full to capacity. As part of this,
tapes were recycled, such that old data was often overridden by newer data when
the magnetic tapes were manually swapped out;
(d) in relation to the 148,785 transfer instructions referred to in subparagraphs 132(b) to
132(f) above;
(i) records of the original instructions were not retained for a period of 7 years in the
Qvalent backup system as a result of a configuration gap in the quarterly
schedule which did not correctly account for months with 31 days. The
configuration gap meant that the Qvalent system backed up the previous 90 days
only, which led to a 1 to 2 day gap in certain of the quarterly backups between
April 2015 and July 2016; and
(ii) records of the original instructions were not retained for a period of 7 years in the
WIBS backup system as a result of the electronic backup system that was
introduced in November 2014 being configured for a period between November
2014 and early 2017 to store monthly backups for 12 months from the date of
backup; and
(e) it did not have appropriate IT change management, assurance and oversight processes
in place with respect to record keeping.
C.4 Correspondent Banking Due Diligence – contraventions of section 98 of the AML/CTF
Act
C.4.1 Westpac’s Correspondent Banking Due Diligence Obligations
page 25
39199251
138 At all times throughout the Relevant Period, Westpac (as a bank and therefore a financial
institution within the meaning of section 5 of the AML/CTF Act, which had entered into
correspondent banking relationships that involved vostro accounts) was required by:
(a) section 98(1) of the AML/CTF Act to carry out regular assessments of the risks Westpac
may reasonably face that the correspondent banking relationship might (whether
inadvertently or otherwise) involve or facilitate ML/TF (Preliminary Risk Assessment);
and
(b) section 98(2) of the AML/CTF Act to:
(i) carry out regular assessments of such matters as specified in the AML/CTF
Rules; and
(ii) prepare a written record of each assessment as soon as practicable after the
completion of the assessment,
if carrying out those assessments was warranted by a Preliminary Risk Assessment
undertaken by Westpac in accordance with section 98(1) of the AML/CTF Act (Due
Diligence Assessments),
(together Westpac’s Correspondent Banking Due Diligence Obligations).
139 The term 'vostro account' is as defined in paragraph 11(e).
C.4.2 Systems and controls designed to comply with Westpac’s Correspondent Banking
Due Diligence Obligations
140 As stated in paragraph 10, while essential to the international financial system, correspondent
banking relationships present higher ML/TF risks. Identifying, assessing and mitigating those
risks is inherently challenging because the risks posed concern customers of the correspondent
bank rather than Westpac's customers.
141 Throughout the Relevant Period, Westpac had in place processes, systems and controls intended
to manage these risks and comply with Westpac’s Correspondent Banking Due Diligence
Obligations. Those processes, systems and controls are described in paragraphs 142 to 170
below.
C.4.2.1 Three Lines of Defence
142 Westpac had a 'Three Lines of Defence' risk management approach designed with the intention
of managing the ML/TF risk presented by its correspondent banking relationships and designated
services as set out immediately below.
First line of defence – risk identification, risk management and self-assessment
143 The Westpac Institutional Bank division (WIB) relevantly included the Corporate & Institutional
Banking (CIB) team and the Global Transaction Services (GTS) team.
144 CIB and GTS were responsible for identifying, evaluating and managing the ML/TF risks Westpac
may reasonably face with respect to its correspondent banking relationships. In particular:
(a) CIB was responsible for the establishment of the correspondent banking relationships
and was the relationship manager. From March 2018, GTS and CIB were jointly
responsible for approving the establishment of all correspondent banking relationships;
and
page 26
39199251
(b) GTS was responsible for the ongoing risks of product management processes and
procedures to the extent they impacted upon correspondent banking.
145 Throughout the Relevant Period, the Risk and Fraud Operations (RFO) team, a group function,
conducted the Preliminary Risk Assessments and Due Diligence Assessments. The workbooks
that documented both assessments are referred to as the DD Workbooks. A specialised team
within RFO (RFO CBDD Team) was responsible for:
(c) conducting Preliminary Risk Assessments and Due Diligence Assessments for
correspondent banks, and completing the associated DD Workbooks;
(d) monitoring adverse media events in relation to correspondent banks, and escalating
these to CIB and GTS in accordance with a process prescribed by the Correspondent
Banking Due Diligence AML/CTF Procedures Manual (CB Procedures Manual) as
referred to in paragraph 165 below; and
(e) once an automated transaction monitoring detection scenario was put in place for vostro
accounts, undertaking an initial assessment of alerts generated from correspondent
banking transaction monitoring scenarios.
146 The DD Workbook completed by the RFO CBDD team was reviewed and approved by the
relevant relationship manager from CIB (Relationship Manager) and the relevant network
manager from GTS (Network Manager).
Second line of defence – establishment of risk management framework and policies and
risk management oversight
147 The second line of defence involved:
(a) from January 2018, oversight by the WIB Financial Crime team of the completion of the
DD Workbooks by the RFO CBDD team; and
(b) the Group Financial Crime team setting the standards required across the Westpac
Group for Preliminary Risk Assessments and Due Diligence Assessments in the Westpac
Group Correspondent Banking Standard (CB Standard) (explained in paragraph 155
below).
Third line of defence – Group Audit
148 The third line of defence involved the Group Audit team (previously known as Group Assurance
until October 2015), which was the internal audit function at Westpac, independent of
management.
149 Group Audit conducted a number of reviews of Westpac’s AML/CTF correspondent banking due
diligence processes, systems and controls during the Relevant Period.
C.4.2.2 Policies and procedures relevant to Westpac’s Correspondent Banking Due
Diligence Obligations
150 The processes, systems and controls that Westpac had in place that were intended to achieve
compliance with Westpac's Correspondent Banking Due Diligence Obligations were set out in the
following policies and procedures:
(a) the AML/CTF Policy;
(b) the AML/CTF program;
page 27
39199251
(c) the CB Standard; and
(d) the CB Procedures Manual.
151 These processes, systems and controls also included , transaction monitoring over MT103 files
sent and received, and sanctions screening processes. From September 2017, it also included
Vostro account monitoring, noting that the monitoring first introduced in February 2016 was not
appropriate or effective.
The AML/CTF Policy
152 The AML/CTF Policy set out the principles Westpac was required to follow to comply with its
AML/CTF obligations, including in relation to correspondent banking relationships.
The AML/CTF Program
153 During the Relevant Period, the AML/CTF program provided for Westpac to maintain a CB
Standard, which was the responsibility of the Group Money Laundering Reporting Officer (Group
MLRO).
154 The AML/CTF Program also set out key requirements in relation to correspondent banking due
diligence, including that:
(a) Westpac could not enter into a correspondent banking relationship without first assessing
the risk that the relationship might involve the facilitation of ML/TF activities; and
(b) the risk level assigned to the relationship would determine the due diligence required in
respect of the correspondent bank, and the level of ongoing due diligence, with such due
diligence being conducted by the RFO CBDD Team.
CB Standard
155 The CB Standard set out the level of due diligence required for correspondent banking
relationships entered into by Westpac.
156 During the Relevant Period, the CB Standard applied the following relevant principles:
(a) Westpac must not directly or indirectly enter into a correspondent banking relationship
with a shell bank;
(b) before Westpac enters into a correspondent banking relationship with another financial
institution, Westpac must carry out a due diligence assessment;
(c) Westpac must not enter into a correspondent banking relationship unless senior officer
approval had been granted;
(d) once Westpac had entered into a correspondent banking relationship, Westpac must
carry out regular due diligence assessments. The frequency of ongoing due diligence
assessments was required to be based upon a risk assessment of the relationship;
(e) Westpac must monitor correspondent banking relationships; and
(f) Westpac must document its responsibilities and the responsibilities of the other party to
the correspondent banking relationship, and retain records of due diligence assessments.
157 The CB Standard required, among other things, that all high-risk correspondent banking
relationships be reviewed annually, and all low or medium risk relationships be reviewed at least
every four years unless a material incident occurred, which would trigger an immediate review.
page 28
39199251
158 Although the AML/CTF Act only required Due Diligence Assessments to be carried out if
warranted by the risk assessed in the Preliminary Risk Assessment, at all times the CB Standard
required Westpac to conduct Due Diligence Assessments on each of its correspondent banks,
regardless of their risk level.
159 Although not required by the AML/CTF Act, the CB Standard defined a ‘correspondent banking
relationship’ more broadly than was prescribed by section 98 of the AML/CTF Act. In particular:
(a) under section 5 of the AML/CTF Act, a relationship could only be a correspondent
banking relationship if, among other things, the reporting entity provided banking services
to another financial institution that involved a vostro account;
(b) Westpac also voluntarily categorised the provision of a Relationship Management
Application (RMA) Key to another financial institution as a correspondent banking
relationship and subjected the relationship to Preliminary Risk Assessments and Due
Diligence Assessments. RMA Keys are the digital certificates issued to financial
institutions to enable a trusted, provable and confidential end-to-end communication over
the SWIFT Network. Some financial institutions may have RMA Keys with Westpac, but
no vostro account; and
(c) this approach meant that Westpac conducted Preliminary Risk Assessments and Due
Diligence Assessments over a broader body of entities than was required under section
98 of the AML/CTF Act.
CB Procedures Manual
160 The CB Procedures Manual prescribed the frequency with which Preliminary Risk Assessments
and Due Diligence Assessments should be conducted, and set out instructions for the RFO
CBDD Team to complete the DD Workbook.
161 During the Relevant Period, the CB Procedures Manual provided that the risk rating of the
correspondent bank was calculated using the Correspondent Bank Risk Assessment Model
(CBRA Model) to determine the "Composite Risk Rating". The Composite Risk Rating assessed
the following risk factors: (a) correspondent bank organisation type; (b) engagement channel; (c)
product; (d) jurisdiction; and (e) increased risk/adverse findings (Risk Factors).
162 The CBRA Model: (a) allowed users to choose answers for each Risk Factor from a drop-down
menu, with the answer generating an automatic score; and (b) weighted particular Risk Factors,
depending on their importance to the Composite Risk Rating.
163 The CBRA Model then generated a Composite Risk Rating based on the weightings and the
score for each Risk Factor.
164 The Composite Risk Rating informed the level of subsequent due diligence conducted on the
correspondent bank and when, absent a material trigger event, the correspondent bank would
next be re-assessed.
(a) for correspondent banks with a vostro account and a Composite Risk Rating of 'High',
Westpac conducted an annual Due Diligence Assessment. The annual Due Diligence
Assessment included reviewing the correspondent bank's answers to:
(i) a standardised questionnaire designed by the Wolfsberg Group, an association of
eleven global banks (Wolfsberg Questionnaire), that was required to have been
page 29
39199251
completed within a period of three years prior to the Due Diligence Assessment;
and
(ii) a questionnaire designed by Westpac (Westpac Questionnaire) that must have
been completed within a period of three years prior to the Due Diligence
Assessment.
(b) for correspondent banks with a vostro account and a Composite Risk Rating of 'Low' or
'Medium', Westpac:
(i) conducted a Due Diligence Assessment every four years. This Due Diligence
Assessment required a review of a Westpac Questionnaire and a Wolfsberg
Questionnaire, which in each case must have been completed within a period of
three years prior to the Due Diligence Assessment; and
(ii) conducted a preliminary report into the correspondent bank half way through the
four year period between each Due Diligence Assessment
165 The CB Procedures Manual required 'trigger events' (namely mergers / takeovers / acquisitions,
financial difficulties, changes of ownership, fines or regulatory action in relation to AML/CTF
compliance, change in the country risk profile, suspicion of dealing with a shell bank, and a
change in sanctioned country status) relating to the correspondent banks to be monitored through
Factiva, a business information and research tool used by Westpac.
166 Until January 2018, the CB Procedures Manual provided that where a trigger event was
identified, a report was to be made to the Relationship Manager and the Network Manager for
assessment and a decision as to the appropriate course of action. From January 2018 onwards,
these trigger events were intended to lead to the Relationship Manager contacting the
correspondent bank to complete an enhanced customer due diligence form, if the Relationship
Manager, Network Manager, WIB Financial Crime and the Jurisdictional Financial Crime Officer
agreed that such enhanced customer due diligence should be conducted.
167 In January 2018, the CB Procedures Manual was updated to include two additional questions for
the Relationship Manager and Network Manager that asked whether, since the last Due Diligence
Assessment, there had been any material change in the products and services used by the
correspondent bank, or any noticeable change to the volume or value of transactions. This
change was made to address an AUSTRAC recommendation (following a Compliance
Assessment by AUSTRAC in 2016) that Westpac more clearly articulate in its procedures how it
assessed material changes in the nature of the correspondent bank's ongoing business
relationship, in accordance with paragraph 3.1.4(4) of the AML/CTF Rules. However, the
additional questions in the CB Procedures Manual were not supported by appropriate processes
to identify material changes in products or services or in the volume and value of transactions.
Sanctions screening and controls
168 During the Relevant Period Westpac had a Sanctions Policy in place, which stated that:
(a) Westpac screens for designated entities (and, from 2017, sanctioned activities) in
accordance with applicable sanctions regimes both in Australia and overseas;
(b) Westpac does not maintain bank accounts for individuals or entities that are designated
entities in any jurisdiction in which Westpac operates. From 2016 it further provided that if
an existing customer of Westpac becomes designated in any such jurisdiction and
page 30
39199251
relevant laws require Westpac to freeze the assets of that customer then Westpac will do
so, and that if Westpac is not required to freeze the assets of such a customer then
Westpac will terminate its relationship with the relevant customer; and
(c) Westpac exercises due care in designing and refining business rules and processes to
ensure that no individual transaction involves a knowing breach of applicable sanctions
obligations.
169 During the Relevant Period, transactions conducted through vostro accounts on Westpac's vostro
system were subject to screening for sanctions. Sanctions screening did not apply in relation to
all the Direct ACM arrangements until mid-2018, shortly before these arrangements were
terminated. Sanctions screening was not applied to instructions received through the Referral
ACM arrangements that were settled through Direct Entry or BPay. In some cases, sanctions
screening was applied to instructions received through the Referral ACM arrangements that were
settled through RTGS.
170 To the extent sanctions risks were identified during the Due Diligence Assessment, the DD
Workbook was also required to be sent to WIB Financial Crime to review. From January 2018,
the CB Procedures Manual:
(a) provided for a 'Sanctions Escalation Model' (which was stated in the CB Procedures
Manual to be the process from 1 October 2016). The Sanctions Escalation Model
required escalation to WIB Financial Crime for approval in certain circumstances,
including where the Preliminary Risk Assessment or Due Diligence Assessment on any
correspondent bank identified any 'sanctions concern', with an escalation line to the
Group Sanctions team if the WIB Financial Crime team required Group Sanctions' input;
and
(b) included in the Westpac Questionnaire an additional 'Sanctions Questionnaire' which
required the correspondent bank to disclose risks relating to sanctions issues, answer
detailed questions about its sanctions screening and controls, and complete an
attestation for relationships it had with entities in Iran.
C.4.3 Contraventions of subsections 98(1) and 98(2) of the AML/CTF Act: Preliminary
Risk Assessments and Due Diligence Assessments
171 At all times throughout the Relevant Period, Westpac had a correspondent banking relationship
within the meaning of the AML/CTF Act that involved a vostro account with each of the
correspondent banks.
172 At all times throughout the Relevant Period, the risks assessed under the Preliminary Risk
Assessments required Westpac to conduct Due Diligence Assessments on each of the
correspondent banks.
173 During the Relevant Period, Westpac carried out 48 Preliminary Risk Assessments and 48 Due
Diligence Assessments with respect to the correspondent banks. A table setting out the
Preliminary and Due Diligence Risk Assessments conducted in respect of these entities is at
Annexure B to this SAFA.
174 During the Relevant Period, despite:
page 31
39199251
(a) Westpac having in place the processes, systems and controls described at paragraphs
142 to 170 above intended to achieve compliance with its obligation to conduct
Preliminary Risk Assessments and Due Diligence Assessments; and
(b) Westpac conducting regular Preliminary Risk Assessments and Due Diligence
Assessments in respect of its correspondent banking relationships with the
correspondent banks,
the Preliminary Risk Assessments did not fully comply with section 98(1) of the AML/CTF Act and
the Due Diligence Assessments did not fully comply with section 98(2) of the AML/CTF Act in the
following regards:
(a) in some cases, Westpac did not identify and assess all of the banking services and
transactions it facilitated through its correspondent banking relationships;
(b) in some cases, Westpac did not assess the impact of identified higher ML/TF risks upon
banking services provided by Westpac to the correspondent banks; and
(c) in some cases, Westpac did not appropriately assess the jurisdictional risks of the
correspondent banking relationships; and
the Due Diligence Assessments did not fully comply with section 98(2) of the AML/CTF Act in the
following further regards:
(a) in some cases, the assessment of the correspondent bank's products and customer base
was not sufficient;
(b) in some cases, the assessment of the adequacy of the correspondent banks' controls and
internal compliance practices relating to AML/CTF was not sufficient; and
(c) the assessment of the nature of the correspondent banks' ongoing business relationships
with Westpac and material changes to those relationships, including the types of
transactions carried out through the relationships, was not adequate.
175 Further detail in respect of each of those matters is set out below.
C.4.3.1 Failure to identify and assess banking services and transactions facilitated through
correspondent banking relationships
176 Westpac’s Preliminary Risk Assessments and Due Diligence Assessments in respect of Banks B,
C, D, E and F did not consider the risks posed by corporate operating accounts used to facilitate
the Direct ACM arrangements (the Direct ACM Corporate Operating Accounts). The Direct
ACM Corporate Operating Accounts were vostro accounts because, as used under the Direct
ACM Arrangements, they were accounts held by a correspondent bank with Westpac in
Australian dollars in order to facilitate settlement of international transactions on behalf of the
correspondent bank's customers. Nor did these assessments consider the risks posed by the
vostro accounts used to facilitate the OSBSB arrangements with Bank B and Bank J (the Bank B
Settlement Account and the Bank J Settlement Account, and together the OSBSB Settlement
Accounts), noting that the OSBSB Settlement Account for Bank B was also the Direct ACM
Corporate Operating Account for Bank B.
177 The reason that Westpac did not consider the risks posed by the Direct Model ACM
arrangements as part of its Preliminary Risk Assessment and Due Diligence Assessment was
because throughout the Relevant Period Westpac determined whether an account was a “vostro”
account by reference to whether the account was maintained on Westpac’s vostro account
page 32
39199251
system, rather than by reference to the characteristics of the account. The CB Standard did not
require Westpac to consider the characteristics of an account in determining whether it was a
vostro account.
178 While ML/TF risks associated with some of the Direct Model ACM arrangements were assessed
through a product risk assessment (PRA), these assessments were inadequate and the PRA did
not feed into the assessment of the ML/TF risk posed by the correspondent banking relationship
during the Preliminary Risk Assessment and Due Diligence Assessment.
C.4.3.2 Failure to assess the impact of identified higher ML/TF risks upon banking services
provided to the correspondent banks
179 As a result of a limitation in the CBRA Model scoring methodology (which applied to all
correspondent banks), identified higher ML/TF risks were not always appropriately assessed and
did not always have an impact upon the Composite Risk Rating. For example, the following
identified ML/TF risks did not impact the Composite Risk Rating:
Nested arrangements
180 In the case of Banks B, C, D, E, I, K, M, O and P, the DD Workbooks did not evidence an
assessment of the impact or likelihood of the risk arising from correspondent banks disclosing
that they provided services through nested arrangements. Nested arrangements refer to the use
of a bank's correspondent banking relationship by other underlying financial institutions through
their relationship with the correspondent bank's direct customer. The underlying financial
institutions conduct transactions without being direct customers of the correspondent bank. It is
also known as downstream correspondent banking.
181 These arrangements pose higher ML/TF risks because the correspondent bank does not have
visibility over the underlying financial institutions transacting through the arrangement. The impact
and likelihood of this risk should have been assessed.
182 Since September 2017 Westpac has had automated transaction monitoring in place to identify
nested arrangements (see paragraph 151 above).
Sanctions risk
183 In the case of Banks L, M and P, the DD Workbooks did not evidence an assessment of the
impact of the risk arising from correspondent banks disclosing that they had relationships with
correspondent banks operating in jurisdictions which had trade or financial sanctions imposed by
one or more other jurisdictions.
184 In the case of Bank B, the DD Workbooks did not evidence an assessment of the impact or
likelihood of the risk arising from Westpac opening a vostro account for a subsidiary of Bank B in
Zimbabwe, being a jurisdiction that was subject to limited trade and financial sanctions by
Australia, the United States, and the European Union.
185 While in each case:
(a) Westpac was not prohibited under applicable sanctions laws from having relationships
with these correspondent banks and;
(b) these risks were mitigated by:
(i) all transactions through vostro accounts being subject to sanctions screening;
and
page 33
39199251
(ii) the requirement under the CB Procedures Manual that sanctions issues identified
in the Due Diligence Assessment be escalated to the WIB Financial Crime team
for review (as noted above at paragraph 170),
each of these relationships posed a higher ML/TF risk to Westpac because of the risk that the
correspondent bank could facilitate payments in breach of applicable sanctions laws. The impact
of this risk should have been assessed.
AML/CTF enforcement action
186 During the Relevant Period, in some instances, when regulatory action concerning AML/CTF
compliance was identified in relation to a correspondent bank, this led to an increase in the
ML/TF risk rating for the correspondent bank.
187 However, for adverse regulatory action identified in relation to Bank B, the risk rating was reduced
from 'High' to 'Medium', despite new adverse action being identified during the 2016 to 2017
period.
C.4.3.3 Failure to appropriately assess jurisdictional risks
188 While Westpac assigned a jurisdictional risk rating in its Preliminary Risk Assessments for each
correspondent banking relationship, in the case of Bank G Subsidiary, and Banks B, C, D, F, I, K,
M, N and O, this was based solely on the domicile of the parent entity of the correspondent bank
being assessed, and not the domicile of the correspondent bank itself. The Bank A Parent and
Banks E, H, J, L and P were assessed because they were the parent entities of the relevant
banking groups.
189 The domicile of a correspondent bank is a potentially important ML/TF risk factor as there is a
significant variation in the robustness of jurisdictions' AML/CTF compliance regimes.
190 This failure occurred because the CB Procedures Manual required the RFO CBDD Team to
assess the jurisdictional risk rating of the parent entity of the correspondent bank being assessed,
rather than the correspondent bank.
191 The consequence was that the CBRA Model gave a 40% weighting to the domicile of each parent
bank. Whilst Westpac obtained information in the assessments about branches and subsidiaries ,
this information did not feed into in the composite risk rating assessment of the parent bank. For
example, the fact that some correspondent banks had a number of branches and subsidiaries in
jurisdictions subject to some form of trade or financial sanctions was not reflected in the
composite risk rating assessment for the parent banks.
192 Westpac also did not appropriately apply its own jurisdictional risk assessment with regard to
Bank G Subsidiary and Bank H. With each bank, the DD Workbook identified the jurisdiction as
having ‘Extreme Jurisdictional Risk’. However, each Preliminary Risk Assessment and Due
Diligence Assessment over the Relevant Period assessed the jurisdictional risk as ‘Medium
Jurisdictional Risk’, save for the 2018 Due Diligence Assessment for Bank H, where the
jurisdictional risk was rated as 'High'.
C.4.3.4 Assessments of products and customer base
193 In the course of conducting its Due Diligence Assessment in respect of the correspondent banks,
Westpac identified and documented the full suite of products offered by each correspondent
bank, and their types of customers. Westpac did this by asking questions of the correspondent
banks in the Westpac Questionnaire.
page 34
39199251
194 During the Relevant Period:
(a) the assessment of some correspondent banks' suite of products and types of customers
was not sufficiently regular, having regard to the fact that they were risk rated as 'High' or
'Medium' risk, and the importance of understanding the correspondent banks' products
and customer base in identifying, assessing and mitigating the risk posed by the
correspondent banking relationship. For example:
(i) for Bank A Parent and Bank O, which were rated as ‘High’ risk, Westpac did not
re-assess the nature of the correspondent bank's products and customer base
within a three year period; and
(ii) for Bank F, which was rated as 'High' risk, Westpac did not assess the nature of
the correspondent bank's products and customer base until 2017;
(iii) for Banks C and L, which were rated as 'High risk', and for Bank P, which was
rated as 'Medium' risk, Westpac did not re-assess the nature of the
correspondent banks' products and customer base after 2014; and
(iv) for Bank G Subsidiary, which was rated as 'Medium' risk, Westpac did not assess
the nature of the correspondent bank's products and customer base during the
Relevant Period.
(b) the assessments of a number of the correspondent banks did not evidence sufficient
consideration of ML/TF risks identified in relation to the correspondent banks' customer
and product bases and were not always based on adequate information,
in each case in breach of the requirements in paragraphs 3.1.4(1) and 3.1.2(1) of the AML/CTF
Rules, and as a consequence, section 98(2) of the AML/CTF Act.
C.4.3.5 Assessment of controls and internal AML/CTF compliance practices on inherent
ML/TF risks
195 During the Relevant Period:
(a) for Bank A Parent and Bank O, which were rated as ‘High’ risk, Westpac did not assess
fully the adequacy of the correspondent bank's controls and internal compliance practices
relating to AML/CTF within three years; and
(b) for Banks C and L, which were rated as 'High risk', Westpac did not assess fully the
adequacy of the correspondent banks' controls and internal AML/CTF compliance
practices after 2014;
in each case in breach of the requirements of the applicable CB Procedures Manual, described at
paragraph 164(a).
196 The assessment of the adequacy of the controls and internal compliance practices relating to
these correspondent banks was not sufficiently regular, having regard to their 'High' risk rating
and the importance of these controls and practices in mitigating the risk posed by the
correspondent banking relationships, in breach of the requirements in paragraphs 3.1.4(1) and
3.1.2(6) of the AML/CTF Rules, and, as a consequence, section 98(2) of the AML/CTF Act.
C.4.3.6 Assessment of ongoing business relationship, including transactions, and any
material changes to the business relationship
197 During the Relevant Period, Westpac did not adequately:
page 35
39199251
(a) assess the nature of each correspondent bank’s ongoing business relationship with
Westpac, including the types of transactions carried out as part of that correspondent
banking relationship; and
(b) identify and assess any material change in the nature of the correspondent bank’s
ongoing business relationship with Westpac, including in respect of the types of
transactions carried out as part of that relationship,
in breach of paragraphs 3.1.4(3) and (4) of the AML/CTF Rules, and as a consequence, section
98(2) of the AML/CTF Act, for the following reasons.
Questions in the DD Workbooks about ongoing business relationship and transactions
198 Until November 2017, the DD Workbooks for the correspondent banks did not include questions
designed to assess:
(a) the nature of the correspondent banks' ongoing business relationship with Westpac; or
(b) the transactions entered into as part of that relationship.
199 As a consequence, until November 2017, there is no evidence in the DD Workbook of Westpac
having regularly assessed the full nature of its ongoing business relationship with the
correspondent banks.
200 In November 2017, the DD Workbook was amended to require that the:
(a) Relationship Manager confirm if there had been any material change in the products and
services used by the customer since the last Due Diligence Assessment; and
(b) Network Manager confirm if there had been any noticeable change to the volume or value
of transactions since the last Due Diligence Assessment.
201 In January 2018 the CB Procedures Manual was updated to reflect this change. However,
limitations in Westpac's vostro account transaction monitoring meant that Westpac was not in a
position to fully understand any material changes to the types, volume and value of transactions
carried out as part of the correspondent banking relationship.
Monitoring of payment flows through Direct ACM arrangements
202 During the Relevant Period, Westpac did not have in place the following to monitor payment flows
through the Direct ACM arrangements with Banks A to F:
(a) trend analysis of the volume of activity flowing through the ACM Corporate Operating
Accounts;
(b) the identification of nesting by upstream financial institutions; and
(c) transaction monitoring at account level to identify unusual transactions or patterns of
transactions.
203 Further, Westpac did not implement transaction monitoring of originator and beneficiary
information within payment messages for the Direct ACM arrangements. Until the following dates,
it also did not implement screening for sanctions:
(a) in relation to Bank C, November 2016;
(b) in relation to Bank D, October 2017;
(c) in relation to Bank E, July 2018; and
page 36
39199251
(d) in relation to Bank B, August 2018.
204 This limited its ability to monitor the ACM arrangements and changes in the transaction profile
being processed.
Automated monitoring of vostro accounts
205 The potential need to transaction monitor vostro accounts was first identified at a correspondent
banking monthly stakeholders meeting (CBMS Meeting) at Westpac in July 2012, which was
attended by mid-level management, including a senior member of the WIB Financial Crime team.
Despite discussing the need for transaction monitoring of vostro accounts at meetings between
July 2012 and May 2015, as described below, no appropriate transaction monitoring over vostro
accounts was introduced until September 2017.
206 From February 2016, an automated detection monitoring scenario for vostro accounts was
implemented, named “WS84 – High Value Transactions for VOSTRO Customers”. This detection
monitoring scenario was designed to identify payments from correspondent banks via a vostro
account which deviated from the correspondent bank's average transaction value, taken from the
previous 180 day average for the correspondent bank, as well as the volume of transactions
across the previous 90 day period from the alert date. This detection scenario did not
appropriately monitor for all known ML/TF risks of vostro accounts and was decommissioned in
July 2017 because it was not triggering a sufficient number of meaningful alerts and replaced in
September 2017 with a new scenario for vostro accounts.
207 The new scenario, named “WS89 – Correspondent Banking Transaction Monitoring (WIB)”, was
implemented which was designed to identify transactions with the following indicators:
(a) country risk (payments originating or passing through a country that is subject to trade or
financial sanctions, has significant levels of corruption or lacks appropriate AML/CTF laws
and regulations);
(b) transactions that were unusual in the context of the relationship;
(c) nested arrangements; and
(d) transactions that passed through multiple jurisdictions without a valid arrangement.
208 The WS89 detection scenario, whilst appropriate, was not adequate to fully understand and
monitor for the ML/TF risks of payment flows. For example, it did not monitor for:
(a) high level usage by a particular party;
(b) high percentage usage by a particular customer of an overseas institution;
(c) transactions originating in high risk countries; or
(d) transactions whose ultimate beneficiary is in a high risk country.
209 During the Relevant Period, Westpac did not apply the WS89 detection scenario to the Direct
ACM Corporate Operating Accounts or to the OSBSB Settlement Accounts. These accounts were
however subject to Westpac's other automated transaction monitoring rules that applied to its
transactional bank accounts.
210 The WIB Transaction Monitoring Program Alerts for vostro accounts dated September 2016, and
from 7 March 2017, the RFO Detection Scenario Alert Management Vostro Transaction
Monitoring Procedure, set out specific guidance for when alerts received in respect of this
page 37
39199251
transaction monitoring of vostro accounts should be escalated, and when a suspicion should be
formed for the purpose of section 41 of the AML/CTF Act:
(a) the WIB Transaction Monitoring Program Alerts for Vostro accounts required the WIB
Financial Crime team to review the RFO's assessment and escalate any adverse
information identified to GTS for further assessment; and
(b) the RFO Detection Procedure required the RFO team to escalate transactions to the
CBDD Team if it identified any red flag indicators associated with the transaction or the
alerted customer as a result of its review. The CBDD Team, with advice from Group
Financial Crime, would determine whether a suspicious matter report should be lodged
under section 41 of the AML/CTF Act. The RFO Detection Procedure also provided for a
process for alerts to be escalated to the Correspondent Banking Due Diligence
Committee (CBDDC) to consider whether a Due Diligence Assessment should be
reconducted.
211 However, the alerts subject to the monitoring procedures described above were not meaningful
until the WS89 detection scenario was introduced in September 2017. Nor were the alerts always
actioned promptly.
212 Insofar as the monitoring of the transaction relationship should have alerted Westpac to relevant
material changes, so that it could then determine whether to proceed with an assessment:
(a) until 18 November 2019, Westpac's trigger event reporting mechanism was not designed
to consider these changes (further addressed at paragraph 216); and
(b) the transaction monitoring conducted by Westpac of vostro accounts lacked sufficient
depth for the reasons identified at paragraphs 206 to 208 above).
213 While Westpac had transaction monitoring in place in relation to its international payments
business, including in relation to MT103 instructions, its transaction monitoring in relation to
vostro accounts limited its ability to assess its ongoing relationships with the correspondent banks
and any material changes to those relationships.
Trigger warning process
214 The CB Procedures Manual provided for a trigger warning system based on Factiva. Under the
CB Standard, a trigger event could lead to a new Due Diligence Assessment of a correspondent
bank.
215 The trigger event reporting process should have alerted Westpac to material changes in its
relationship with a correspondent bank. However, it was flawed because:
(a) the CB Procedures Manual did not provide for any trigger events designed to identify
material changes in the nature of the ongoing business relationship, including the types of
transactions carried on as part of that relationship;
(b) analysis of these reports was not appropriately documented, because:
(i) during the Relevant Period, the RFO team monitored trigger events, and sent the
trigger reports to the Relationship Manager and Network Manager for their
comments and assessment. Under the CB Procedures Manual, the Relationship
Manager, Network Manager and Group MLRO were obliged to consider answers
to several questions documented at section 2 of the trigger report which
assessed Westpac's exposure to the trigger event; but
page 38
39199251
(ii) in respect of some of the trigger reports generated for Bank A Parent, Banks B,
C, D, E, I, J, K, L, M, N, and P, and in breach of the requirements of the CB
Procedures Manual, these questions were not always completed in respect of
trigger events; and
(c) during the Relevant Period, the requirement to conduct enhanced customer due diligence
under the CB Procedures Manual was at the discretion of the Relationship Manager, the
Network Manager and WIB Financial Crime. Although some correspondent banks were
placed on a ‘watching brief’ after multiple trigger events, they were not subject to any
additional enhanced customer due diligence; and
(d) in September 2018 Westpac identified, as part of a Controls Assurance Review into
Correspondent Banking Due Diligence, that the Factiva trigger event monitoring process
required enhancement to ensure the completeness of correspondent bank lists and
defined monitoring scope set up in Factiva, sufficient quality assurance control and
proper record retention. There were weaknesses in the escalation of trigger reports, with
the result that trigger events were treated inconsistently. No independent quality
assurance controls were performed to ensure all Factiva alerts were actioned properly.
216 Until 18 November 2019, Westpac's Due Diligence Assessment process also did not include any
processes for monitoring for additional risks arising from the sale of new products to the
correspondent banks (being a material change in the nature of the correspondent bank’s ongoing
business relationship with Westpac). Until 18 November 2019, when the CBDD Procedures
replaced the CB Procedures Manual, the sale of a new product to a correspondent bank was not
a trigger event. This meant that any new risks arising from the sale of a new product over the
Relevant Period to the correspondent banks was not assessed in a DD Workbook.
217 Deficiencies in Westpac's trigger warning processes limited its ability to monitor material changes
in its relationships with the correspondent banks.
C.4.4 Quality assurance
218 During the Relevant Period, whilst Westpac's approach to quality assurance matured, as did
industry standards, first line testing and second line oversight was not consistent.
219 An external consultant reviewed a sample of 60 DD Workbooks in 2012, Line 2 (Controls
Assurance) conducted testing over samples of DD Workbooks in 2014 and Line 3 (Group Audit)
conducted reviews during the Relevant Period which included correspondent banking due
diligence within its scope.
220 Steps were also taken to improve the quality assurance over the correspondent banking due
diligence process, including:
(a) In January 2018:
(i) WIB Financial Crime were required for the first time to sign off on the DD
Workbooks;
(ii) CBDDC approval was required for all high risk banks; and
(b) In February 2018 a four eye review process was introduced to be conducted on each due
diligence workbook by the relevant RFO manager.
221 Since 18 November 2019, the CBDD Procedures requires that:
page 39
39199251
(a) a separate quality checking team within RFO reviews the DD Workbooks within one
month of completion to confirm all relevant information has been collected and
appropriately recorded; and
(b) the Financial Crime team within GTS performs a sample review of completed DD
Workbooks to confirm, at a minimum, that:
(i) all required identification and verification information is collected for the entity,
including any parent entity and/or owner(s) / controller(s);
(ii) any indicators of potential prohibited customer types or restricted customer
activities were identified and considered;
(iii) the Composite Risk Rating is correctly determined; and
(iv) all necessary approvals are obtained.
222 While there were quality assurance controls in place prior to this point (as described above), had
Westpac adopted these additional controls earlier, a number of the issues described above would
have been identified earlier. Further, whilst Group Audit conducted some review of correspondent
banking due diligence processes during the Relevant Period, its reviews did not fully cover these
processes.
C.4.5 Conclusion
223 By reason of the matters referred to in paragraphs 171 to 217 above, Westpac did not conduct an
adequate Preliminary Risk Assessment in accordance with section 98(1) of the AML/CTF Act on
48 occasions and did not conduct an adequate Due Diligence Assessment in accordance with
section 98(2) of the AML/CTF Act on 48 occasions.
C.5 AML/CTF Program
C.5.1 Requirements under section 81 of the AML/CTF Act
224 Throughout the Relevant Period, section 81 of the AML/CTF Act stipulated that a reporting entity
must not commence to provide a designated service to a customer if the reporting entity has not
adopted, and does not maintain, an AML/CTF program within the meaning of section 83 of the
AML/CTF Act that applies to the reporting entity (being either a standard, joint or special
AML/CTF program).
225 The AML/CTF Program is the principal document for setting out the risk-based systems and
controls that are required to ensure compliance with the AML/CTF Act and the AML/CTF Rules. It
is the means through which a reporting entity is required to take responsibility for managing the
money laundering and terrorism financing risks of its own business.
226 Throughout the Relevant Period, section 85(1) of the AML/CTF Act defined a joint AML/CTF
program as a written program that applies to each reporting entity that from time to time belongs
to a particular designated business group, and is divided into the following parts: Part A (general);
and Part B (customer identification).
227 Section 85(2) of the AML/CTF Act defined Part A of a joint AML/CTF program as a part which:
(a) has the primary purpose of identifying, mitigating and managing the risk that each
reporting entity may reasonably face that the provision of designated services at or
through a permanent establishment of the reporting entity in Australia might (whether
page 40
39199251
inadvertently or otherwise) involve or facilitate money laundering or terrorism financing
(ML/TF risk); and
(b) complies with such requirements as are specified in the AML/CTF Rules.
228 Throughout the Relevant Period, the AML/CTF Rules required that Part A of a joint AML/CTF
program must, among other things:
(a) in determining and putting in place appropriate risk-based systems and controls, have
regard to the following factors in relation to each reporting entity in the designated
business group (paragraph 9.1.3):
(i) the nature, size and complexity of business; and
(ii) the type of ML/TF risk that might be reasonably faced;
(b) take account of the risk posed by the following factors in relation to each reporting entity
in the designated business group (paragraph 9.1.4):
(i) the customer types, including any politically exposed persons;
(ii) the types of designated services provided;
(iii) the methods by which designated services are delivered; and
(iv) the foreign jurisdictions dealt with;
(c) be designed to enable the designated business group to (paragraph 9.1.5):
(i) understand the nature and purpose of the business relationship with its customer
types, including, as appropriate, the collection of information relevant to that
understanding;
(ii) understand the control structure of non-individual customers;
(iii) identify significant changes in ML/TF risk for the purposes of the group’s Part A
and Part B programs, including:
(A) risks identified by consideration of the factors in paragraph 9.1.4; and
(B) risks arising from changes in the nature of the business relationship,
control structure or beneficial ownership of its customers; and
(iv) such changes in ML/TF risk to be recognised for the purposes of the
requirements of the group’s Part A and Part B programs; and
(v) identify, mitigate and manage any ML/TF risk arising from:
(A) all new designated services prior to introducing them to the market;
(B) all new methods of designated service delivery prior to adopting them;
(C) all new or developing technologies used for the provision of a designated
service prior to adopting them; and
(D) changes arising in the nature of the business relationship, control
structure or beneficial ownership of its customers;
(d) include a transaction monitoring program (paragraph 15.4) that must:
(i) include appropriate risk-based systems and controls to monitor the transactions
of customers (paragraph 15.5); and
page 41
39199251
(ii) have the purpose of identifying, having regard to ML/TF risk, any transaction that
appears to be suspicious within the terms of section 41 of the AML/CTF Act
(paragraph 15.6); and
(e) include appropriate systems and controls of each of the reporting entities designed to
ensure compliance with the reporting obligations of the reporting entity (paragraph
9.9.1(2)).
C.5.2 Westpac's Part A Program
229 At all times in the Relevant Period, Westpac had a joint AML/CTF program which included a
document titled:
(a) since 7 March 2018, 'Anti-Money Laundering & Counter-Terrorism Financing Program
Part A';
(b) between 20 July 2017 and 6 March 2018, 'Anti-Money Laundering & Counter-Terrorism
Financing Program'; and
(c) between at least May 2013 and 19 July 2017, 'AML/CTF Program',
(each the Program Document).
230 This document was updated over time and relevantly comprised the following versions:
(a) version 3.3 effective from 22 May 2013 to 10 February 2015;
(b) version 4.0 effective from 11 February 2015 to 26 January 2016;
(c) version 4.1 effective from 27 January 2016 to 19 July 2017;
(d) version 4.2 effective from 20 July 2017 to 6 March 2018;
(e) version 1.0 effective on 7 March 2018;
(f) version 1.1 effective from 8 March 2018 to 1 May 2018;
(g) version 1.2 effective from 2 May 2018 to 13 August 2018;
(h) version 1.3 effective from 14 August 2018 to 5 March 2019;
(i) version 2.0 effective on and from 6 March 2019.
231 At all times in the Relevant Period, the Program Document included the following:
(a) a section headed 'ML/TF Risk Assessment', which:
(i) required Westpac to undertake ML/TF risk assessments to identify, mitigate and
manage the ML/TF risk exposure of its business; and
(b) a section headed 'Transaction monitoring program' or 'Transaction Monitoring', which:
(ii) stated that the purpose of the transaction monitoring program is to identify
suspicious matters and placed responsibility on the Group MLRO to oversee the
ongoing operation and effectiveness of the transaction monitoring program;
(iii) provided for customer transactions to be monitored using an automated
transaction monitoring system and for alerts generated from that system to be
investigated by RFO (previously Risk Operations);
(iv) required the submission of suspicious matter reports within the applicable time
frames to AUSTRAC; and
page 42
39199251
(c) details in relation to regulatory reporting, which:
(v) included a reference to the Westpac Group AML/CTF Regulatory Reporting
Standard (see further paragraphs 243 to 247 below); and
(vi) included a sub-section headed 'International Funds Transfer Instructions' that
provided, among other things, that Westpac has an obligation to report all IFTIs to
AUSTRAC within 10 business days after the day on which it sent or received the
instruction.
232 Underpinning the Program Document, at all relevant times, Westpac had in place Standards,
which were maintained by Westpac and updated from time to time. These documents provided
details about the requirements, processes, systems and controls necessary to give effect to the
Program Document (Standard Documents).
233 Westpac's Part A Program comprised the Program Document and the Standard Documents.
234 At all relevant times, Westpac's Part A Program set out the minimum requirements to be adopted
in relation to Westpac's anti-money laundering and counter-terrorism financing risk and
compliance.
Risk Assessment Standard
235 During the Relevant Period, Westpac had an ML/TF risk assessment standard that included
systems and controls intended to ensure Westpac complied with its obligations under the
AML/CTF Rules (Risk Assessment Standard). The Risk Assessment Standard was updated
over time and relevantly comprised the following versions:
(a) version 2.0 effective from 27 September 2013 to 10 December 2014, entitled 'Westpac
Group AML/CTF ML/TF Risk Assessment and Methodology Standard';
(b) version 3.0 effective from 11 December 2014 to 28 March 2017, entitled 'Westpac Group
AML/CTF ML/TF Risk Assessment and Methodology Standard';
(c) version 3.1 effective from 29 March 2017 to 1 May 2018, entitled 'Westpac Enterprise
AML/CTF ML/TF Risk Assessment and Methodology Standard';
(d) version 3.2 effective from 2 May 2018 to 29 May 2018, entitled 'Westpac Group AML/CTF
ML/TF Risk Assessment Standard';
(e) version 3.3 effective from 30 May 2018 to 30 April 2019, entitled 'Westpac Group
AML/CTF ML/TF Risk Assessment Standard'; and
(f) version 3.4 effective on and from 1 May 2019, entitled 'Westpac Group AML/CTF ML/TF
Risk Assessment Standard'.
236 The Risk Assessment Standard set out the minimum requirements that must be adopted by
Westpac in relation to ML/TF risk assessments.
237 During the Relevant Period, the Risk Assessment Standard included the following relevant
principles:
(a) Westpac must undertake ML/TF risk assessments to identify its ML/TF risk exposure;
(b) Westpac utilises a multi-tiered approach to its risk assessment methodology to determine
the levels of ML/TF risk applicable at an enterprise, Division and/or Business Unit as well
page 43
39199251
as customer level, including a customer risk assessment, a jurisdiction risk assessment
and a product risk assessment process;
(c) Westpac must conduct an ML/TF risk assessment of all products offered by Westpac;
and
(d) Westpac must regularly review the ML/TF risk assessment to ensure it remains relevant,
current, adequate and reflective of ML/TF risk trends.
238 The Risk Assessment Standard was supported by a number of further documents including
ML/TF risk assessment procedures and guidance documents intended to ensure that Westpac
complied with its ML/TF risk assessment obligations under the AML/CTF Rules.
Transaction Monitoring Program Standard
239 At all times during the Relevant Period, Westpac had a transaction monitoring program standard
that included systems and controls intended to ensure Westpac complied with its obligations
under the AML/CTF Rules (TMP Standard). This document was updated over time and
relevantly comprised the following versions:
(a) version 2.0 effective from 8 August 2012 to 28 November 2013, entitled 'Westpac Group
AML/CTF Transaction Monitoring Program';
(b) version 2.1 effective from 29 November 2013 to 25 February 2016, entitled 'Westpac
Group AML/CTF Transaction Monitoring Program';
(c) version 2.1 effective from 26 February 2016 to 31 July 2018, entitled 'Westpac Group
AML/CTF Transaction Monitoring Program (Australia)'; and
(d) version 1.0 effective on and from 1 August 2018, entitled 'Westpac Group AML/CTF
Transaction Monitoring and Suspicious Matter Reporting (SMR) Standard (Australia)'.
240 The TMP Standard set out the minimum requirements that must be adopted by Westpac in
relation to its transaction monitoring program.
241 During the Relevant Period, the TMP Standard included the following relevant principles:
(a) Westpac must monitor customer transactions through the use of rule-based detection
scenarios that seek to capture behaviour recognised in ML/TF typologies;
(b) The transaction monitoring program is owned by the Group MLRO, and the detection
scenario logic is managed and maintained by Enterprise Financial Crime (previously
named Group AML/CTF and Sanctions), together with Financial Crime Management
Analytics (previously Group AML/CTF and Sanctions Analytics);
(c) Transaction monitoring detection scenarios are required to undergo ongoing review and
refinement; and
(d) NetReveal (formerly Detica) is used as the case management system by RFO analysts in
clearing and investigating scenario alerts. The alert clearance process can include a
review of the customer's transactional history with particular focus on the transaction
which triggered the alert, assessment of red flag indicators and other external and
internal searches, among other things.
242 The TMP Standard was supported by a number of further documents including various
transaction monitoring procedures and operational documents intended to ensure that Westpac
complied with its transaction monitoring obligations under the AML/CTF Rules.
page 44
39199251
Regulatory Reporting Standard
243 At all times in the Relevant Period, Westpac had a regulatory reporting standard that included
systems and controls intended to ensure Westpac complied with its reporting obligations under
section 45 of the AML/CTF Act (Regulatory Reporting Standard). This document was updated
over time and relevantly comprised the following versions:
(a) version 1.1 effective from 17 May 2013 to 8 September 2015, entitled 'Westpac Group
AML/CTF Regulatory Reporting Standard';
(b) version 1.2 effective from 9 September 2015 to 30 April 2019, entitled 'Westpac Group
AML/CTF Regulatory Reporting Standard (Australia)'; and
(c) version 1.0 effective on and from 1 May 2019, entitled 'Westpac Group Anti-Money
Laundering and Counter-Terrorism Financing (AML/CTF) Transaction Reporting
Standard'.
244 The Regulatory Reporting Standard sets out the minimum requirements that must be adopted by
Westpac in relation to Australian AML/CTF regulatory reporting, including reporting of IFTIs.
245 During the Relevant Period, the Regulatory Reporting Standard included the following relevant
principles:
(a) all reports are uploaded electronically to AUSTRAC Online in the approved XML format
as specified by AUSTRAC;
(b) Westpac must report IFTIs to AUSTRAC within 10 business days, and those reports must
include all reportable details as specified in the AML/CTF Rules;
(c) on and from 20 November 2013 to 30 April 2019, Westpac submits test file assessments
to AUSTRAC. AUSTRAC provides a written response;
(d) from 1 May 2019, Westpac considers whether it is necessary to submit test file
assessments to AUSTRAC when AUSTRAC updates the reporting rules or XML
schemes, or Westpac changes its system rules used to generate and populate IFTI
reports;
(e) on and from 20 November 2013 to 30 April 2019, the Enterprise Financial Crime team
actively manages and addresses test file issues and observations in conjunction with the
Financial Crime Systems team (previously Detica Helpdesk team) and RFO;
(f) from 1 May 2019, the Enterprise Financial Crime team identifies changes to the reporting
requirements and considers the impact on Westpac's processes and systems, in
conjunction with Detica Business Support;
(g) Detica provides validation checks and error messages at the front end (Frontline), back
end (RFO) and XML generation stages to ensure quality of data;
(h) Westpac's regulatory reports are subject to a level of quality checking under the Quality
Assurance (QA) framework within RFO. The QA procedure is aligned to a checklist and
template, which are subject to ongoing review and updates to incorporate AUSTRAC
feedback and other QA observations;
(i) the responsibilities for key areas, including division of responsibility as between the
Group Financial Crime function, RFO, Divisions (including front line, supported by
Divisional Financial Crime teams), and system support teams; and
page 45
39199251
(j) guidance on when an IFTI should be reported, and what should be reported to
AUSTRAC, including guidance on SWIFT and non-SWIFT payment instructions.
246 On and from 1 May 2019, the Regulatory Reporting Standard included a requirement that the
Divisions must ensure and be satisfied that there were processes and procedures in place (at a
Group and/or Divisional level) to ensure that all transactions facilitated by their Division which
meet the definition of an IFTI were reported to AUSTRAC within the specified timeframes. This
included a requirement that there were controls in place to periodically reconcile the number of
IFTIs received and sent against the number of IFTIs submitted to AUSTRAC.
247 The Regulatory Reporting Standard was supported by a number of further policies, procedures
and processes intended to ensure that Westpac complied with its reporting obligations under
section 45 of the AML/CTF Act.
Oversight of the Part A Program
248 The oversight of Westpac's Part A Program was through a governance framework for managing
ML/TF risks (the Financial Crime Risk Management Framework). This included:
(a) oversight by the Westpac Group Financial Crime Committee (FINCO), later renamed the
Group Operational Risk and Financial Crime Committee (OFCO); the Group Executive
Risk Committee (RISKCO) and the Board Risk and Compliance Committee (BRCC). For
example, from late 2014, the BRCC, RISKCO and OFCO were provided with quarterly
financial crime reports which contained the key risk, operational and compliance metrics
relating to the performance of the Part A AML/CTF program.
(b) management of the Part A Program by reference to Westpac’s ‘three lines of defence’
risk management model in relation to ML/TF risks, where:
(i) the first line comprised the business and operational functions within each
Division and Business Unit, which retained primary accountability for complying
with AML/CTF obligations and managing ML/TF risk;
(ii) the second line comprised:
• Division and Business Unit risk and compliance teams (at times during the
Relevant Period responsible for, among other things, providing advice to
Divisions and Business Units and monitoring compliance with financial crime risk
management obligations),
• Enterprise Financial Crime (also named Group Financial Crime in the Relevant
Period) (responsible for, among other things, developing and maintaining Group
level AML/CTF policies, standards, procedures and guidance); and
• a team responsible for testing the Group’s compliance with financial crime
obligations;
(iii) the third line comprised the Group Assurance (later renamed Group Audit)
function, which was an independent assurance function that evaluated and
opined on the adequacy and effectiveness of both the first and second line risk
management approaches and tracked remediation progress of issues identified
by the function, with the aim of providing the Board and senior management with
comfort as to the Group’s end-to-end risk identification, management and
controls.
page 46
39199251
(c) Westpac setting the level of ML/TF risks it was willing to accept in the normal course of
business (risk appetite) which included determining that it had no appetite for intentional
breaches of any of its legal obligations, including under the AML/CTF Act. The BRCC had
oversight of performance against risk appetite, including with respect to ML/TF risks.
C.5.3 Section 81 – Failure to identify, mitigate and manage ML/TF risks - ML/TF risk
assessments and risk-based controls
249 Risk assessments are the foundation of the obligation to identify, mitigate and manage the ML/TF
risks relating to designated services. Risk assessments must be reviewed and updated regularly
as ML/TF risks emerge, evolve and change.
250 An assessment of the ML/TF risks of designated services requires a reporting entity to take
account of the risks posed by customer types, the product or designated service itself, the
channel or method by which the designated service is delivered and the foreign jurisdictions dealt
with.
251 The risk-based systems and controls in a Part A Program must be aligned to current ML/TF risks,
as identified in risk assessments. This includes risk-based systems and controls to monitor the
transactions of customers, to carry out enhanced customer due diligence and to identify
suspicious transactions for the purposes of section 41 of the AML/CTF Act. In determining and
putting in place these appropriate risk-based systems and controls, the Part A Program must also
have regard to the nature, size and complexity of the reporting entity’s business.
252 AML/CTF systems and controls need to be reviewed, tested and reassessed on a regular basis to
ensure they are mitigating and managing ML/TF risks as intended.
The non-compliance of Westpac’s Part A Program with the AML/CTF Act and AML/CTF Rules
253 Between 20 November 2013 and May 2018, Westpac's Part A Program did not fully comply with
the requirements of paragraphs 9.1.3 to 9.1.5 of the AML/CTF Rules in that:
(a) prior to May 2018, Westpac's Part A Program was not appropriately designed to enable
the Group to identify, mitigate and manage the ML/TF risks posed by the methods by
which designated services were delivered (Channel Risk). While the Risk Assessment
Standard required Westpac to assess inherent Channel Risk when conducting product
risk assessments, prior to May 2018, the Risk Assessment Standard did not require, or
include procedures for, undertaking Channel Risk assessments separate to the product
risk assessment process;
(b) Westpac's Part A Program did not include an appropriate level of guidance to enable the
Group to appropriately identify all potentially relevant ML/TF risks arising from the
provision of new designated services prior to introducing those designated services to the
market, including identifying those designated services involving higher ML/TF risks with
respect to Westpac's international payments business;
(c) Westpac's Part A Program required ML/TF risk assessments to be undertaken for all new
products or material variations to products. However, it did not require, or include a
process for, product risk assessments to be reviewed or updated to identify new or
emerging ML/TF risks.
254 Whilst Westpac's risk assessment procedures were uplifted when the Part A Program was
amended in May 2018, it took some further time to remediate the risk-based systems and
page 47
39199251
controls in the Part A program, including transaction monitoring. Deficiencies in risk assessment
prior to May 2018 meant that aspects of the Part A Program did not include appropriate risk-
based systems and controls to mitigate and manage these risks, including with respect to
transaction monitoring, until 20 November 2019. Consequently, from 20 November 2013 to 20
November 2019, Westpac's Part A Program did not fully comply with the requirements of
paragraphs 9.1.3 to 9.1.5. of the AML/CTF Rules.
The circumstances surrounding the non-compliance of the Part A Program
255 The deficiencies in respect of the design of the risk assessment sections of Westpac's Part A
Program (as set out in paragraph 253) continued for a number of years. In addition, Westpac
accepts that a consistent approach to the assessment of ML/TF risks and controls was not
always taken across the Westpac Group and in some areas there was an insufficient end-to-end
view of ML/TF risks and controls. Westpac also accepts that from September 2014, it was aware
of a number of heightened external risks in the AML/CTF environment.
256 In August 2017, in the course of a review undertaken to assess the effectiveness of its AML/CTF
control environment across the Group, Westpac identified the need to enhance its risk
assessment framework in relation to the assessment of ML/TF risks associated with products,
channels and customers. Westpac also identified a significant number of existing and emerging
ML/TF risks in WIB and the need to improve its controls in order to manage and mitigate those
risks more effectively. In October 2017, the Board and senior management were briefed on these
matters and the work that had commenced to uplift the Part A Program and controls in order to
address these matters. As fully described in Section E7 below, this work is ongoing.
257 In December 2017, Westpac commenced the roll-out of a revised approach across the Group to
assessing the ML/TF risks associated with its products and channels. From May 2018, these
changes were reflected in updates to the Risk Assessment Standard. In addition, from May 2018,
the risk-based systems and controls designed to mitigate ML/TF risks were required to be
documented and recorded on a central register maintained by the Group MLRO. As a result of
several initiatives, including carrying out the revised product and channel risk assessments in
December 2017, Westpac identified a number of AML/CTF controls across the Group in early
2018 that were not appropriately risk-based or embedded across the Group, including transaction
monitoring. Appropriate risk-based transaction monitoring is central to Westpac’s understanding
of its own ML/TF risks, including emerging risks.
258 The Part A Program must be subject to regular independent review, in accordance with
paragraph 9.6 of the AML/CTF Rules. The purpose of the independent review should be to
assess:
(c) the effectiveness of the Part A program having regard to the ML/TF risk of each reporting
entity in the designated business group;
(d) whether the Part A program complies with the AML/CTF Rules;
(e) whether the Part A program has been effectively implemented; and
(f) whether each reporting entity in the designated business group has complied with its Part
A program.
259 At all times, the AML/CTF Rules required the result of the review, including any report prepared,
to be provided to senior management. From 12 January 2018, the AML/CTF Rules required that
page 48
39199251
the result of the review, including any report prepared, to be provided to senior management and
the Board.
260 Westpac's Group Audit function regularly reviewed aspects of the Group financial crime control
environment and provided their findings, together with actions for relevant issue owners, to the
senior management team. These findings were then addressed by Westpac. In 2018, a Group
Audit report identified that Westpac's Part A Program had not been the subject of an independent
review in accordance with the AML/CTF Rules for several years. This was reported to the Board
and senior management. Had Westpac conducted an independent review of its Part A Program
that fully met the requirements of Part 9.6 of the AML/CTF Rules in the several years prior to
2018, the deficiencies in Westpac's Part A Program at paragraph 253 above may have been
identified, reported to senior management and rectified earlier.
The ACM and OSBSB arrangements
261 The failure to fully comply with paragraphs 9.1.3 to 9.1.5 of the AML/CTF Rules described above
at paragraph 253 contributed to the following deficiencies in the risk assessments and controls
introduced in relation to the ACM and OSBSB arrangements.
ML/TF risks associated with ACM and OSBSB
262 The ACM arrangements involved higher ML/TF risks. In particular, the ACM arrangements:
(a) facilitated high volume international payments of any value; and
(b) involved the cross-border movements of funds, which could have included the movement
of funds to and from high risk jurisdictions.
263 The ACM arrangements with Bank A involved the following additional ML/TF risks:
(a) the arrangements provided Westpac with limited information about the payer or payee;
and
(b) the arrangements involved a large number of transactions where the payer was a
payment processor (Payment Processer A), in circumstances where Westpac did not
have information about Payment Processer A's customer.
264 The ACM1 arrangement with Bank C had an additional ML/TF risk in that incoming international
payments were facilitated through two vostro accounts in Bank C’s name, even though each
account was dedicated to the exclusive use by one of two large multinationals and their related
companies.
265 The OSBSB arrangements also involved ML/TF risks. In particular:
(a) through these arrangements, funds could be transferred by third parties both
internationally through RTGS and OTT; and
(b) additionally, third parties could deposit funds directly into the OSBSB settlement account
via the branch network; and
(c) the OSBSB arrangements included the facility for the correspondent bank customer to
deposit cash through Intelligent Deposit Machines (IDM).
Failure to carry out appropriate risk assessments and mitigate and manage those risks
266 Although Westpac did conduct risk assessments in relation to the ACM and OSBSB
arrangements during the Relevant Period, the assessments it conducted did not appropriately
page 49
39199251
assess the ML/TF risks reasonably faced in relation to the provision of designated services
through each of the ACM and OSBSB arrangements.
267 Further, having failed to adequately identify and assess these risks, while Westpac did have in
place systems and controls to mitigate and manage the ML/TF risks of providing designated
services through the ACM and OSBSB arrangements, these were not appropriately risk-based.
268 In relation to the ACM arrangements, these are described in paragraph 277 below.
269 In respect of the OSBSB arrangements, while Westpac did apply:
(a) the same transaction monitoring rules that applied to transactional bank accounts;
(b) Westpac's threshold transaction reporting process for deposits at or above $10,000;
(c) a requirement that the identity of third parties be verified for deposits at or above $10,000;
and
(d) a restriction on third parties making deposits via ATMs (but not IDMs),
it did not:
(e) place deposit limits on cash deposits into OSBSB accounts with Banks B and J, including
cash deposits through IDMs; or
(f) mandate that the identity of third parties depositing cash or cheques at a branch with a
value below $10,000 was verified.
C.5.4 Section 81 – transaction monitoring program
270 Westpac is required to include a transaction monitoring program in its Part A Program. The
transaction monitoring program is a central component of Part A and:
(a) must include appropriate risk-based systems and controls to monitor the transactions of
customers;
(b) must have the purpose of identifying, having regard to ML/TF risk, any transaction that
appears to be suspicious for the purposes of section 41 of the AML/CTF Act; and
(c) should have regard to complex, unusual large transactions and unusual patterns of
transactions, which have no apparent economic or visible lawful purpose,
(section 85(2)(c) of the AML/CTF Act and paragraphs 15.4 to 15.7 of the AML/CTF Rules).
271 Between 20 November 2013 and 20 November 2019 (unless stated otherwise below), Westpac's
transaction monitoring program did not fully comply with the requirements of paragraph 15.5 of
the AML/CTF Rules in that deficiencies in Westpac's Part A Program relating to the identification
and assessment of the ML/TF risks it faced in relation to products and channels (set out at
paragraph 253 above) meant that, as a result, Westpac's transaction monitoring program did not
include risk-based systems and controls to appropriately monitor transactions across all
designated services provided by the Group, including in the following respects;
(a) not all designated services were appropriately monitored, having regard to the ML/TF
risks they posed;
(b) there were inadequate processes to ensure that new or emerging ML/TF risks would be
identified and subject to appropriate transaction monitoring;
page 50
39199251
(c) there were inadequate processes to escalate and consider guidance on ML/TF risks and
typologies from AUSTRAC and law enforcement agencies to ensure that detection
scenarios were aligned to current ML/TF risks; and
(d) prior to 2014, alerts from automated transaction monitoring detection scenarios were only
generated and processed on a monthly basis.
The circumstances surrounding the non-compliance of the Part A Program
272 In mid-2015, Group Audit prepared an audit report that included an issue raised by WIB Financial
Crime regarding deficiencies in the Group’s transaction monitoring program with regard to the
monitoring of certain transactions, including international transactions. The Group Audit report
included a management action plan, which required a detailed analysis of the current state of the
transaction monitoring program to determine the extent of gaps. In August 2015, Enterprise
Financial Crime circulated a memorandum outlining the current scope of Westpac's transaction
monitoring program. Over the course of 2016 and 2017, Westpac took actions to address
transaction monitoring issues in other jurisdictions. In August 2017, gaps in the transaction
monitoring program were again identified.
273 In April 2018, an external review advised Westpac of weaknesses in detection scenarios across
120 products that it reviewed. The review concluded that 45 of these products required
automated monitoring where none had been applied and the remaining 75 required additional
monitoring scenarios. In 2018, management action plans were developed to address the gaps.
274 Had Westpac conducted an independent review in accordance with the AML/CTF Rules in the
several years prior to 2018 (see paragraph 260 above), these deficiencies in Westpac's
transaction monitoring program may have been identified, reported to senior management and
rectified earlier.
275 In early 2018, the Board and senior management were advised that improvements to the
transaction monitoring program had been identified and that the uplift of the transaction
monitoring program was a priority area. In August 2018, Westpac disclosed to AUSTRAC that it
had identified products where it considered that automated transaction monitoring had not been
applied in circumstances where it should have been, the range of scenarios that had been
deployed under the transaction monitoring program should be enhanced and manual processes
should be established to better manage ML/TF risks.
Westpac's international payments business
276 Westpac had a range of automated transaction monitoring scenarios in place in relation to
international payments, but the failure to fully comply with paragraph 15.5 of the AML/CTF Rules
described at paragraph 271 above led to Westpac's failure to appropriately monitor the ML/TF
risks of aspects of its international payments business in the following regards.
277 In relation to the ACM arrangements:
(a) while Westpac had in place some transaction monitoring in relation to the ACM
arrangements, this was limited to the dispersal of funds through the direct entry channel
where the funds were deposited into a Westpac customer account;
(b) Westpac did not obtain sufficient information about each international funds transfer
instruction received under the ACM arrangements with Banks A to F so as to enable it to
appropriately monitor these banks' transactions on a risk basis. None of the instructions
page 51
39199251
received under the ACM arrangements contained details about the purpose of payment
and some instructions had limited information about one or more of the following criteria:
the payer, currency and jurisdiction of origin.
(c) a significant number of payments processed through the ACM arrangements with Bank A
related to the transfer of funds by Payment Processor A, which potentially carried higher
ML/TF risks. Transactions through these arrangements were not subject to appropriate
risk-based monitoring and were not identified as being of a different profile to the usual
payments processed via the ACM arrangements with Bank A; and
(d) from November 2016 Westpac started to apply sanction screening to the Direct ACM
arrangements with Bank C (when those arrangements commenced) and it took until
September 2018 for the other ACM arrangements to be subjected to sanction screening.
278 In relation to the OSBSB arrangements:
(a) monitoring of OSBSB transactions was not appropriately risk-based;
(b) Westpac did not have appropriate controls in place to know the identity of the customers
of Bank B and Bank J that had been allocated an OSBSB sub-account, or the origin of
funds transferred to, or destination of funds transferred from, the Bank B Settlement
Account and Bank J Settlement Account; and
(c) cash deposits into OSBSB Settlement Accounts were not appropriately monitored.
279 In relation to Vostro accounts, it was not until September 2017, that appropriate automated
monitoring was introduced. Whilst appropriate, this automated monitoring was not adequate to
fully understand and monitor for the ML/TF risks of payment flows. Nor did it apply to all vostro
accounts (as a matter of substance).
280 In relation to transaction monitoring for the child exploitation material (CEM) risk:
(a) from 2013, AUSTRAC and, in 2016, the Commonwealth Attorney-General's Department,
published information about the child exploitation risks associated with frequent low value
payments to the Philippines and other jurisdictions. In December 2016 and January 2017,
AUSTRAC provided reporting entities, including Westpac, with methodology briefs
detailing the key indicators for the purchase of live-streaming child exploitation material,
involving international funds transfers to the Philippines and South East Asia (collectively,
the Guidance);
(b) in May 2016, Westpac assessed the heightened child exploitation risks associated with
low value payments to the Philippines through the LitePay product and identified the need
for detection scenarios to be included in the transaction monitoring program for LitePay
and other international payment channels that could be used to process low value
payments. From the launch of the LitePay product in August 2016, two detection
scenarios were implemented that were intended, among other things, to identify
transactions that might be indicative of child exploitation risk. However, these scenarios
did not adequately reflect the Guidance and did not apply to other payment channels;
(c) in June 2018, an updated automated detection scenario was implemented to monitor the
LitePay channel for the known child exploitation typologies involving the Philippines; and
(d) throughout the Relevant Period until October 2019, Westpac did not implement an
appropriate detection monitoring scenario to monitor for the known child exploitation
page 52
39199251
typologies involving frequent low value payments to the Philippines and South East Asia
via non-LitePay channels.
C.5.5 Section 81 – systems and controls for IFTI reporting
281 Westpac was required under paragraph 9.9.1(2) of the AML/CTF Rules to include, in its Part A
Program, systems and controls designed to ensure compliance with the obligation to report IFTIs
under section 45 of the AML/CTF Act.
282 Notwithstanding the systems, controls and processes included in the Regulatory Reporting
Standard as set out at paragraph 245 above, between 20 November 2013 and 20 November
2019, Westpac’s Part A Program:
(a) did not include processes for ensuring that Westpac was reporting to AUSTRAC all IFTIs
that it was required to report under section 45 of the AML/CTF Act, including appropriate
end-to-end reconciliation, assurance and adequate oversight processes to detect ongoing
non-compliance with IFTI reporting obligations;
(b) did not include appropriate processes to identify all source systems that create payment
instructions that required reporting under section 45 of the AML/CTF Act, including with
respect to non-SWIFT instructions; and
(c) did not include appropriate processes to identify non-SWIFT IFTIs that did not include
complete payer information.
C.5.6 Conclusions
283 For the reasons set out at paragraphs 253, 271 and 282, Westpac contravened section 81 of the
AML/CTF Act from 20 November 2013 to 20 November 2019 by commencing to provide
designated services in circumstances where its Part A Program did not fully comply with the
requirements of the AML/CTF Rules in significant respects.
C.6 Ongoing Customer Due Diligence – contraventions of section 36 of the AML/CTF Act
C.6.1 Customers 1 – 262
284 For the reasons set out in paragraphs 285 to 316, from 20 November 2013 until 20 November
2019, Westpac's transaction monitoring program did not include sufficient risk-based systems and
controls to monitor the risk that the provision of designated services to its customers might
involve or facilitate the funding of CEM.
285 At various times from 20 November 2013, each of the 262 Customers set out in Annexure C:
(a) held one or more accounts with Westpac; and
(b) conducted transactions on one or more such account within the meaning of item 3, table
1, section 6 of the AML/CTF Act.
The SMRs prior to November 2019
Customers 1 to 11
286 Prior to 20 November 2019, Customers 1, 2 and 4 to 11 were customers of Westpac. Customer 3
was a customer of Westpac until October 2019. Each of these customers held an account with
Westpac and conducted transactions on this account within the meaning of item 3, table 1,
section 6 of the AML/CTF Act.
page 53
39199251
287 On and from the following dates, there were repeated patterns of frequent low value transactions
on these accounts that were consistent with CEM typologies according to the guidance issued by
AUSTRAC, or other regulatory or industry bodies, in relation to CEM risk (Guidance) available at
the time (Relevant Transactions). These transactions were effected through multiple
international payment channels.
(a) Customer 1 – November 2013
(b) Customer 2 – November 2013
(c) Customer 3 – April 2016
(d) Customer 4 – November 2016
(e) Customer 5 – June 2015
(f) Customer 6 – May 2016
(g) Customer 7 – March 2016
(h) Customer 8 – May 2016
(i) Customer 9 – March 2018
(j) Customer 10 – March 2017
(k) Customer 11 – February 2019
288 Westpac first identified activity on the accounts as indicative of typologies identified in the
Guidance available at the time and gave the AUSTRAC CEO a CEM-related suspicious matter
report (SMR) in relation to this activity as follows:
(a) Customer 1 – 11 June 2019
(b) Customer 2 – 25 July 2018
(c) Customer 3 – 4 July 2019
(d) Customer 4 – 19 March 2018
(e) Customer 5 – 18 April 2019
(f) Customer 6 – 12 April 2018
(g) Customer 7 – 23 July 2018
(h) Customer 8 – 24 July 2018
(i) Customer 9 – 30 August 2019
(j) Customer 10 – 1 February 2019
(k) Customer 11 – 18 October 2019
289 Had Westpac implemented appropriate transaction monitoring at the time of the Relevant
Transactions, some or all of the transactions:
(a) may have been identified prior to the date of the SMR at 288 as consistent with
typologies according to the Guidance available at the time; and, if identified,
(b) would have been the subject of investigation by Westpac's RFO Team in order to
determine whether those transactions were 'false positives', in that they triggered the
detection scenario but were, upon investigation, not indicative of CEM, and, if not 'false
page 54
39199251
positives', whether they gave rise to an obligation to give the AUSTRAC CEO an SMR
pursuant to section 41 of the AML/CTF Act.
290 Once Westpac had formed a suspicion of possible CEM, in accordance with paragraph 15.9 of
the AML/CTF Rules, appropriate enhanced customer due diligence (ECDD) steps for the
purposes of paragraph 15.10 of the AML/CTF Rules should have included:
(a) a review of the complete customer relationship, including a review of all accounts held by
the customer or to which the customer was a signatory;
(b) a review or update of the customer’s 'know your customer' information;
(c) escalation of the customer, and any related customer, suspected of CEM to determine
whether to continue the business relationship with that customer;
(d) if an ongoing relationship is approved, increased monitoring of the customer’s activity to
identify, mitigate and manage any ongoing CEM risks; and
(e) if an ongoing relationship is declined, the placing of restrictions on the types of
transactions the customer could make, or advance account closure, to mitigate and
manage ongoing CEM.
291 Whilst Westpac undertook some ECDD in relation to Customers 1 to 11 after filing the SMR, the
ECDD was not adequate.
292 By reason of the matters set out in paragraphs 286 to 291, from the relevant dates identified in
paragraph 287 until 20 November 2019, Westpac contravened section 36(1) of the AML/CTF Act
with respect to each of Customers 1, 2, 4 to 11.
293 By reason of the matters set out in paragraphs 286 to 291, from the date identified in paragraph
287(c) until October 2019, Westpac contravened section 36(1) of the AML/CTF Act with respect
to Customer 3.
Customer 12
294 From April 2001 until 19 August 2019, Customer 12 was a customer of Westpac. From 2016,
Customer 12 held accounts with Westpac (Customer 12 Accounts) and was conducting ongoing
transactions on these accounts within the meaning of item 3, table 1, section 6 of the AML/CTF
Act.
295 On 4 June 2019, a manual alert was raised by a Westpac staff member who identified potentially
suspicious activity through face-to-face interactions with Customer 12. The potentially suspicious
activity concerned payments Customer 12 had made to the Philippines from one Customer 12
Account (First Customer 12 Account). As a result of this manual alert being raised, RFO
conducted further investigations and identified, on 6 June 2019, that Customer 12 had a prior
conviction for child exploitation offences.
296 The RFO investigation resulted in Westpac giving the AUSTRAC CEO a CEM-related SMR in
relation to activity on the First Customer 12 Account on 13 June 2019.
297 Westpac decided to exit Customer 12 on 15 July 2019 and sent Customer 12 an exit letter on 17
July 2019. However, until the Customer 12 Accounts were closed on 19 August 2019, Customer
12 was able to transact on the Customer 12 Accounts without heightened restrictions in place.
page 55
39199251
298 During the period 10 June 2019 to 19 August 2019, Customer 12 made nine low value transfers
through one Customer 12 Account, which were consistent with typologies according to the
Guidance available at the time (Customer 12 Transactions).
299 Had Westpac implemented appropriate transaction monitoring at the time of the Customer 12
Transactions and conducted appropriate ECDD, some or all of the Customer 12 Transactions:
(a) may have been identified as consistent with typologies according to the Guidance
available at the time; and, if identified,
(b) would have been the subject of investigation by Westpac's RFO Team in order to
determine whether those transactions were 'false positives', in that they triggered the
detection scenario but were, upon investigation, not indicative of CEM, and, if not 'false
positives', whether they gave rise to an obligation to give the AUSTRAC CEO an SMR
pursuant to section 41 of the AML/CTF Act.
300 Once Westpac filed an SMR in relation to possible CEM, it undertook some, but not all, of the
ECDD measures outlined at paragraph 290. Had Westpac promptly reviewed all accounts held by
Customer 12 once it became aware of Customer 12’s conviction, Westpac would have identified
ongoing transactions indicative of CEM and would have been in a position to take appropriate
steps to stop this ongoing activity.
301 By reason of the matters set out in paragraphs 294 to 300, Westpac contravened section 36(1) of
the AML/CTF Act with respect to Customer 12 from June 2019 to 19 August 2019.
The SMRs post November 2019 (Customers 13 – 260)
302 In October 2019, Westpac extended its child exploitation automated transaction monitoring
detection scenario to payments made via the SWIFT channel to the Philippines and by 24
November 2019, it had extended the scenarios to apply to additional South East Asian
jurisdictions that pose a higher risk in relation to child exploitation.
303 In December 2019, Westpac completed a review of all child exploitation transaction types for the
Philippines, South East Asia and Mexico over the prior three year period to identify and report to
the AUSTRAC CEO any further suspicious transactions or customers.
304 Following the introduction of the new filters and following the three year review as described
above, on and from late November 2019 Westpac gave the AUSTRAC CEO additional suspicious
matter reports in relation to potential child exploitation, including in relation to Customers 13 to
260.
305 On and from the dates specified in column B of Annexure C, there were repeated patterns of
frequent low value transactions on each of these accounts that were consistent with CEM
typologies according to the Guidance available at the time. These transactions were effected
through multiple international payment channels.
306 Westpac identified activity on the accounts as indicative of typologies identified in the Guidance
available at the time and gave the AUSTRAC CEO a CEM-related SMR in relation to this activity
on the date specified in column C of Annexure C.
307 Had Westpac implemented appropriate transaction monitoring at the time of the Relevant
Transactions, some or all of the transactions:
page 56
39199251
(a) may have been identified and notified to the AUSTRAC CEO in an SMR prior to the SMR
specified in column C of Annexure C as consistent with typologies according to the
Guidance available at the time; and, if identified,
(b) would have been the subject of investigation by Westpac's RFO Team in order to
determine whether those transactions were 'false positives', in that they triggered the
detection scenario but were, upon investigation, not indicative of CEM, and, if not 'false
positives', whether they gave rise to an obligation to give the AUSTRAC CEO an SMR
pursuant to section 41 of the AML/CTF Act.
308 By reason of the matters set out in paragraphs 302 to 307, from the relevant date identified in
column B of Annexure C until the identification of the matters that led to the filing of the SMR
specified in column C of Annexure C, Westpac contravened section 36(1) of the AML/CTF Act
with respect to each of Customers 13 to 260.
Customers 261 and 262
309 From 12 March 1986 until 25 May 2018, Customer 261 was a customer of Westpac. From 12
March 1986, Customer 261 held accounts with Westpac (Customer 261 Accounts) and was
conducting ongoing transactions on these accounts within the meaning of item 3, table 1, section
6 of the AML/CTF Act.
310 From 17 September 2002 until 29 July 2020, Customer 262 was a customer of Westpac. From 17
September 2002, Customer 262 held accounts with Westpac (Customer 262 Accounts) and
was conducting ongoing transactions on these accounts within the meaning of item 3, table 1,
section 6 of the AML/CTF Act.
311 Between 14 May 2014 and 10 April 2018, Customer 261 made 129 ATM withdrawals in South
East Asia in amounts ranging from $37.04 to $477.11, and totalling $40,067.14.
312 Prior to these transactions, Customer 261 had been arrested and remanded in custody for child
exploitation related offences. This fact was unknown to Westpac at the time.
313 Customer 261 was found guilty of child exploitation related offences in 2018.
314 On 27 February 2018, Westpac gave the AUSTRAC CEO an SMR in relation to Customers 261
and 262 in connection with child exploitation, after Westpac identified that Customer 262 had
been convicted of child exploitation related offences.
315 Had Westpac conducted appropriate ongoing customer due diligence with respect to Customers
261 and 262, these child exploitation related suspicions could have been identified earlier.
316 By reason of the matters set out in paragraphs 309 to 315, from:
(a) 24 September 2014 until 25 May 2018, Westpac contravened section 36(1) of the
AML/CTF Act with respect to Customer 261; and
(b) January 2017, Westpac contravened section 36(1) of the AML/CTF Act with respect to
Customer 262.
D. FORMAL ADMISSIONS
317 By reason of the matters set out above, Westpac makes the following admissions for the
purposes of the Proceedings:
page 57
39199251
(a) Westpac contravened section 45(2) of the AML/CTF Act on 19,578,985 occasions by
failing to give IFTIs to the AUSTRAC CEO within the time frame stipulated by section
45(2) of the AML/CTF Act, as identified in paragraphs 52, 87, 92, 102 and 114 above.
(b) Westpac contravened section 64(7)(f) of the AML/CTF Act on 8,140 occasions by not
including in the instruction to another institution in the funds transfer chain so much of the
required transfer information as it had been given to it (as the interposed institution), as
identified in paragraph 124.
(c) Westpac contravened section 64(6) of the AML/CTF Act on 2,400 occasions by not
including in the instruction to another institution in the funds transfer chain so much of the
required transfer information as it had been given to it (as the ordering institution), as
identified in paragraph 129.
(d) Westpac contravened section 115(2) of the AML/CTF Act on 3,516,238 occasions by
failing to retain a record of all the required transfer information for 7 years, as identified in
paragraph 136.
(e) Westpac contravened section 98(1) of the AML/CTF Act by not conducting an adequate
Preliminary Risk Assessment on 48 occasions and section 98(2) of the AML/CTF Act by
not conducting an adequate Due Diligence Assessment on 48 occasions, as identified in
paragraph 223.
(f) Westpac contravened section 81 of the AML/CTF Act from 20 November 2013 to 20
November 2019 in circumstances where its Part A Program did not fully comply with the
requirements of the AML/CTF Rules, as identified in paragraphs 253, 271 and 282.
(g) Westpac contravened section 36(1) of the AML/CTF Act by failing to monitor the below
customers on the following occasions:
(i) from the relevant dates identified in paragraph 287 until 20 November 2019 with
respect to each of Customers 1, 2, 4 to 11, as identified in paragraph 292;
(ii) from the relevant date identified in paragraph 287(c) until October 2019, with
respect to Customer 3, as identified in paragraph 293;
(iii) from June 2019 to 19 August 2019 with respect to Customer 12, as identified in
paragraph 301;
(iv) from the relevant date identified in column B of Annexure C until the identification
of the matters that led to the filing of the SMR specified in column C of
Annexure C with respect to each of Customers 13 to 260, as identified in
paragraph 308;
(v) from 24 September 2014 until 25 May 2018, with respect to Customer 261, as
identified in paragraph 316; and
(vi) from January 2017, with respect to Customer 262, as identified in paragraph 316.
E. FACTS RELEVANT TO RELIEF
E.1 Nature and extent of the contraventions
E.1.1 IFTI Reports – Contraventions of section 45 of the AML/CTF Act
page 58
39199251
318 Westpac's admitted failure to give 19,502,841 IFTIs to the AUSTRAC CEO within the time frame
specified by section 45(2) of the AML/CTF Act occurred in the circumstances described in
paragraphs 46 to 109 above. Westpac's admitted failure to give 76,144 IFTIs to the AUSTRAC
CEO that contained payer names, as required by section 45(2) of the AML/CTF Act, occurred in
the circumstances described in paragraphs 110 to 115 above. At the time of the first relevant
contravention in November 2013, a contravention carried a maximum penalty of $17 million. This
maximum penalty increased to $18 million on 1 August 2015 and to $21 million on 1 July 2017.
319 None of the contraventions was the result of any deliberate intention to breach the AML/CTF
legislation.
320 This was in circumstances where there were opportunities to prevent and detect the non-
reporting and, when it was identified, failures to escalate it, including the following.
(a) In late 2011, Westpac received a number of queries from AUSTRAC relating to its IFTI
reporting. These queries prompted the preparation of a report by Group AML/CTF entitled
'Westpac's International Funds Transfer Instructions (IFTIs) reporting solution' (the 2013
IFTI Report). The 2013 IFTI Report purported to, among other things, 'assess Westpac's
IFTI solution within Detica for any compliance gaps with our IFTI reporting obligations and
to identify improvement opportunities'. It included the following finding, but did not identify
the non-reporting:
Our review of structured IFTIs indicate that the structured IFTI reporting solution in Detica
was implemented in a short amount of time, without the Project having an adequate
understanding of reportable details in an IFTI and the criteria for a payment instruction to be
reportable. This led to a number of gaps in the design of the structured IFTIs solution.
[...]
A number of gaps were found to be present in Westpac's structured IFTIs, ranging from data
quality, incorrect usage of XML tags, incorrect information populated in XML tags, and
incorrect definitions of reportability. It is strongly recommended that additional analysis and
assessment is performed on structured IFTIs and appropriate fixes put in place to rectify the
compliance gaps identified.
(b) In July 2013, AUSTRAC undertook a review of Westpac's compliance with certain
obligations, including in relation to IFTI reporting. One of AUSTRAC's recommendations
was that Westpac perform a review of payment instructions not reported to AUSTRAC.
This recommendation from AUSTRAC was the basis for a review undertaken by Group
Assurance that culminated in the provision to AUSTRAC on 30 June 2014 of a 'Group
Assurance Report – AML/CTF International Funds Transfer Instructions Reporting –
Audit' (the 2014 Group Assurance Report). The relevant non-reporting was not
identified in preparing the 2014 Group Assurance Report.
(c) The 2014 Group Assurance Report included a 'Management Action Plan', which
generated ongoing work by Group Assurance through 2014 and 2015, which did not
identify the non-reporting.
(d) In early 2016, a team within GTS commenced a project known as the “ACM Remediation
Project”, prompted by an awareness within GTS of potential AML/CTF compliance issues
(including in relation to IFTIs in respect of the ACM arrangements; however, not in
relation to the non-reporting of IFTIs to the AUSTRAC CEO). During the course of the
ACM Remediation Project, on 22 May 2017, a GTS Associate Director emailed the Team
page 59
39199251
Lead in the Digital Transformation Technology (DTT) team asking which of certain banks’
incoming IFTIs were being reported to the AUSTRAC CEO. The DTT Team Lead
responded that same day that all of those banks’ incoming IFTIs were being reported to
the CEO of AUSTRAC except for Bank B. This was not brought to the attention of senior
management.
(e) On 8 August 2017, the General Manager of GTS requested an urgent review of the
completeness of IFTI reporting within GTS. This request prompted significant activity in a
short time period. In the course of that activity:
(i) other employees became aware of the Bank B non-reporting; and
(ii) one DTT employee within GTS identified that IFTIs in respect of the ACM
arrangement with Bank A were not being reported to the AUSTRAC CEO;
however, at the time that employee did not appreciate what he had identified.
Notwithstanding the above, non-reporting was not brought to the attention of the Group
MLRO or senior management within the financial crime control functions (including the
General Manager of GTS).
321 It was not until May 2018 that the Group MLRO became aware of these issues, following which
urgent steps were taken to escalate the matter, including taking it to Westpac's Regulatory
Disclosure Forum on 25 July 2018 and reporting it to the AUSTRAC CEO on 15 August 2018.
322 Since these contraventions were identified, Westpac has undertaken a range of further
enhancements in respect of its IFTI reporting, as identified in E.7 below.
323 The 19,502,841 contraventions of section 45 relating to the late IFTIs and the 76,144
contraventions of section 45 relating to the failure to include payer names in IFTIs were serious
because:
(a) Westpac did not have appropriate end-to-end reconciliation, assurance and oversight
processes to ensure that it was reporting IFTIs to the AUSTRAC CEO in accordance with
its obligations under section 45 of the AML/CTF Act.
(b) Westpac did not identify that over 72% of all incoming IFTIs received by Westpac for the
period 5 November 2013 to 3 September 2018 had not been reported.
(c) Westpac’s assurance processes to identify non-compliance with IFTI reporting were
inadequate, particularly in relation to IFTIs that were processed through non-SWIFT
payment systems. Westpac did not have adequate controls in place to identify the
requirement to report IFTIs in relation to Ordering Institution A. Nor did Westpac have
appropriate assurance processes in place to identify non-SWIFT IFTIs that did not
include a payer name.
(d) As a result of the failure to file the IFTIs on time, AUSTRAC, the Australian Taxation
Office (ATO) and other law enforcement agencies have been deprived of timely
information relating to over $11 billion in international payments for up to 6 years.
(e) Late reporting delays and hinders law enforcement efforts.
(f) IFTI information facilitates the tracking of off-shore movements of funds relating to
offences such as money laundering, terrorism financing, cyber-crime, child exploitation
and other crime. Given that international payments systems allow money to move quickly,
late IFTIs compromises the ability of law enforcement to trace money and to investigate
page 60
39199251
and prosecute serious crimes. Late IFTIs also delay law enforcement’s ability to identify
and stop ongoing crime.
(g) As the international payments system allows money to move quickly, late IFTIs can also
compromise the ability of law enforcement to trace and recover the proceeds of crime.
(h) IFTIs assist in the process of revenue collection. Of the IFTI reports lodged late by
Westpac, over 5.7 million transactions fall outside of the statutory limits the ATO operates
under in respect to taking corrective action against taxpayers who have lodged tax
returns. The value of the reported funds in respect to these transactions is $2.9 billion.
(i) Of the 2,314 IFTI reports lodged late relating to LitePay:
(i) 18 related to 7 of the first 12 customers with respect to whom Westpac had
identified transactions suspected to be indicative of child exploitation; and
(ii) 19 related to customers 27, 41, 45, 68, 81, 104, 127, 139, 160, 186, 210 and 221
with respect to whom Westpac had identified transactions suspected to be
indicative of child exploitation
(j) AUSTRAC, the ATO and other law enforcement were not given timely intelligence in
relation to those 37 international transfers. During the Relevant Period, Westpac reported
to AUSTRAC approximately 4,773 IFTIs relating to the 262 customers within 10 days of
the relevant international transfers taking place.
(k) 76,144 IFTI reports, totalling $82,731,499, did not include the payer name, as required by
the AML/CTF Act and AML/CTF Rules. As a result, AUSTRAC does not have information
about the origin of this transferred money. Information about the origin of funds is critical
to enable AUSTRAC, the ATO and other law enforcement agencies to follow money that
may be connected to unlawful activity. The absence or loss of information about the origin
of funds significantly compromises investigations and prosecutions.
E.1.2 Information about the origin of the transferred money – contraventions of Part 5 of
the AML/CTF Act
324 Westpac's admitted failure to:
(a) pass on some or all of the required transfer information to another institution in relation to
8,140 IFTIs Westpac transmitted out of Australia, in contravention of section 64(7)(f) of
the AML/CTF Act; and
(b) pass on complete payer information to another institution in relation to 2,400 IFTIs, in
contravention of section 64(6) of the AML/CTF Act,
occurred in the circumstances described in paragraphs 116 to 130 above. At the time of the first
relevant non-compliance in January 2014, a contravention carried a maximum penalty of $17
million. This maximum penalty increased to $18 million on 1 August 2015 and to $21 million on 1
July 2017.
325 None of the contraventions was the result of any deliberate intention to breach the AML/CTF
legislation.
326 Since these contraventions were identified, Westpac has undertaken a range of measures to
ensure that it is passing on all necessary information, as identified in E.7 below.
327 The contraventions are serious because:
page 61
39199251
(a) Westpac did not have appropriate processes to ensure compliance with section 64 of the
AML/CTF Act.
(b) The required transfer information was held by Westpac or other Australian financial
institutions and was readily accessible by Westpac.
(c) Westpac’s processes did not identify these systemic failures for over 5 years.
(d) Full transparency of the origin of funds is essential for other financial institutions in funds
transfer chains to identify, mitigate and manage their own ML/TF risks. Westpac’s failure
to pass on the required transfer information may have impacted the ability of other
financial institutions to manage ML/TF risk.
(e) Information about the origin of funds is critical to enable AUSTRAC, the ATO and other
law enforcement agencies to follow money that may be connected to unlawful activity. It
is critical that information about the origin of funds be included in all payment instructions
and that it be readily available to law enforcement and other agencies. The absence of
payment transparency delays and inhibits the investigation and prosecution of offences.
E.1.3 Making and retaining records – contraventions of section 115 of the AML/CTF Act
328 Westpac's admitted failure to retain for 7 years records of so much of the required transfer
information as was passed onto Westpac in relation to the 3,516,238 transfer instructions referred
to in paragraph 131 above occurred in the circumstances described in paragraphs 131 to 137
above.
329 None of the contraventions was the result of any deliberate intention to breach the AML/CTF Act.
330 Further, as described in paragraph 137 above, these contraventions occurred as a result of
systems that have now been wholly replaced, or as a result of configuration issues in current
systems that have been identified and fixed.
331 The contraventions are serious because:
(a) Proper record keeping is essential to AML/CTF risk management and compliance.
(b) Westpac’s IT change management and assurance processes did not identify failures to
retain backup files for over 6 years.
(c) The lost records related to the origin of over 3.5 million incoming international
transactions.
(d) AUSTRAC, the Commissioner of Taxation and other law enforcement agencies are
entitled to request information about incoming IFTIs, including in relation to the origin of
funds. The record keeping obligations in section 115 of the AML/CTF Act support this
statutory entitlement.
(e) Information about the origin of funds is critical to enable AUSTRAC, the ATO and other
law enforcement agencies to follow money that may be connected to unlawful activity.
E.1.4 Correspondent Banking Due Diligence – contraventions of section 98 of the
AML/CTF Act
332 Westpac's admitted failure to comply with section 98 of the AML/CTF Act in relation to the
Preliminary Risk Assessments and Due Diligence Assessments undertaken in respect of its
correspondent banking relationships occurred in the circumstances described in paragraphs 138
to 223 above. At the time of the first contravention in November 2013, a contravention carried a
page 62
39199251
maximum penalty of $17 million. This maximum penalty increased to $18 million on 1 August
2015 and to $21 million on 1 July 2017.
333 Despite the admitted contraventions referred to in sections C.4.3 and C.4.4 above, those
contraventions, while serious, were not the result of any deliberate intention to breach the
AML/CTF Act. Westpac believed that it was compliant with the AML/CTF Act in respect of its
correspondent banking due diligence obligations. This belief was reasonable given:
(a) in 2012 Westpac received confirmation from an external review that its processes
addressed the requirements in the AML/CTF Act and the AML/CTF Rules in relation to
correspondent banking and that those processes were operating as designed. The
relevant provisions in the AML/CTF Act and the AML/CTF Rules have not changed
materially since this review;
(b) second line assurance testing and third line Group Audit reports that considered
correspondent banking due diligence processes and procedures during the Relevant
Period did not identify non-compliance with the AML/CTF Act or AML/CTF Rules; and
(c) in 2016, AUSTRAC conducted an assessment of Westpac's compliance with its
correspondent banking due diligence obligations, including section 98 of the AML/CTF
Act. In its report on 15 December 2016, AUSTRAC made seven recommendations 'for
Westpac to consider in enhancing its compliance with the AML/CTF Act and the
[AML/CTF Rules]', but did not identify any non-compliance with the AML/CTF Act or the
AML/CTF Rules. The recommendations and Westpac's response are described in
paragraph 393 below.
334 In particular, and evidencing Westpac’s intention to comply with the AML/CTF Act, as explained
in paragraphs 138 to 223 above:
(a) Westpac had procedures requiring that Preliminary Risk Assessments and Due Diligence
Assessments be conducted, and a system directed to achieving this, as reflected in the
CB Standard and CB Procedures Manual;
(b) while its Preliminary Risk Assessments and Due Diligence Assessments in respect of the
correspondent banks were conducted regularly, they were deficient in some respects;
and
(c) during the period of the contraventions, Westpac introduced significant improvements to
its CB Standard and CB Procedures Manual, including establishment of the CBDDC in
2017 to uplift the CB Procedures Manual and improve correspondent banking
governance.
335 However, these contraventions are serious for the following reasons:
(a) correspondent banking relationships present higher ML/TF risks associated with cross-
border movements of funds, jurisdiction risk (including the risks of operating in certain
foreign countries) and risks associated with the transparency of the identity and source of
funds of customers of the correspondent banks;
(b) the requirement to undertake regular Preliminary Risk Assessments and Due Diligence
Assessments of correspondent banking relationships is a central aspect of the AML/CTF
regulatory regime, as well as being a key element of Westpac's AML/CTF Program. It
page 63
39199251
provides an appropriate means for ensuring that the reporting entity is in a position to
identify, mitigate and manage its ML/TF risks;
(c) appropriate risk-based monitoring over vostro accounts is a key requirement of the
correspondent banking due diligence obligation. Without appropriate monitoring of vostro
accounts, although Westpac did monitor MT103 instructions, Westpac was not in a
position to understand fully the ongoing ML/TF risks posed by its correspondent banking
relationships. Nor was it in a position to understand fully the ongoing ML/TF risks of the
payments flowing through the vostro accounts;
(d) further to the context set out in paragraph 333(c), in December 2016 AUSTRAC made
seven recommendations for Westpac to consider in enhancing its compliance with the
AML/CTF Act and the AML/CTF Rules in relation to correspondent banking due diligence.
While Westpac took steps to address the recommendations, the steps it took did not
adequately address AUSTRAC's recommendations;
(e) flaws in the design and implementation of the correspondent banking due diligence
assessment processes could have been identified and addressed earlier had Westpac
had stronger first line testing, second line oversight and assurance, and third line audit
coverage;
(f) Westpac did not always have appropriate processes to monitor whether transactions
being processed through its correspondent banking relationships were consistent with its
risk appetite; and
(g) Westpac’s correspondent banking relationships allowed foreign institutions to operate
within its banking environment and within the Australian payments system. The failure of
Westpac to appropriately monitor vostro and Direct ACM arrangement payment flows
increased the exposure of Westpac, the Australian payments system, and some
international payments channels to ML/TF risks.
336 Since and during the time of these contraventions, Westpac has undertaken a range of further
enhancements in respect of its CB Standard and CB Procedures Manual, as set out in
paragraphs 393 and 394 below
E.1.5 AML/CTF Program
337 Westpac contravened section 81 of the AML/CTF Act from 20 November 2013 to 20 November
2019 by commencing to provide designated services in circumstances where its Part A Program
did not, for the reasons set out at paragraphs 253, 271 and 282, fully comply with the
requirements of the AML/CTF Rules. Each time Westpac commenced to provide a designated
service during that period, it contravened section 81 of the AML/CTF Act. The contraventions are
significant in number but too numerous to quantify. The maximum penalty for each contravention
ranges from $17 million to $21 million.
E.1.5.1 Failure to identify, mitigate and manage ML/TF risks – ML/TF risk assessments and
risk-based controls
338 These contraventions are serious because:
(a) The AML/CTF Act reposed a high degree of trust in Westpac to identify, mitigate and
manage the ML/TF risks of its own business.
page 64
39199251
(b) The AML/CTF Program is the principal document for setting out the risk-based systems
and controls that are required to ensure compliance with the AML/CTF Act and the
AML/CTF Rules. The issues with Westpac’s ML/TF risk management models and risk-
based controls in its Part A AML/CTF Program described in paragraph 253 above
persisted for a number of years.
(c) The requirement to carry out and maintain current ML/TF risk assessments of designated
services is central to the AML/CTF Program and to the AML/CTF Act.
(d) In order to appropriately mitigate and manage its ML/TF risk and have appropriate risk-
based controls, as required by the AML/CTF Act, Westpac must first identify and assess
the ML/TF risks it reasonably faces.
(e) Westpac’s international payments business involves known higher ML/TF risks.
Westpac’s failure to appropriately identify, mitigate and manage the ML/TF risks of the
vostro accounts, ACM arrangements, and OSBSB arrangements has resulted in
inadequate controls, and in some cases reduced transparency, in relation to some
international payment flows.
(f) Reduced payment transparency undermines the reputation, integrity and security of the
Australian and global payments systems.
(g) Reduced payment transparency limits the ability of AUSTRAC, the ATO and law
enforcement to trace the origin, purpose and character of funds.
(h) Over 5.7 million late IFTI reports involve transactions totalling AUD 2.9 billion that fall
outside of the statutory limits the ATO operates under in respect of taking corrective
action against taxpayers who have lodged tax returns. Westpac’s failures to lodge IFTI
reports on time and, in some cases, complete IFTIs, has risked undermining the
Australian taxation system.
(i) Westpac’s failure to appropriately identify and manage all ML/TF risks from international
payment flows and to appropriately monitor these transactions for suspicious activity has
resulted in the loss of opportunity to detect, trace and disrupt possible unlawful activity,
including possible child exploitation, money laundering, terrorism financing and tax
offences.
(j) The OSBSB arrangements allowed certain domestic and overseas branches of the
account holder direct access to Westpac’s banking environment and payment systems
but did not have adequate risk-based systems and controls in place.
(k) Westpac’s OSBSB arrangements also permitted cash deposits below $10,000 at
branches by persons whose identity could have been unknown and not verified, although
such deposits were subject to the controls described at paragraph 269 above.
(l) Reduced payment transparency with the Direct ACM arrangements with Banks A and F
undermined Westpac’s ability to give IFTI reports to the AUSTRAC CEO that contained
all the information required by the AML/CTF Rules
(m) While Westpac conducted some independent review in relation to its Part A Program in
the period 2014 to 2017, it did not conduct a review that fully met the requirements of
Part 9.6 of the AML/CTF Rules until 2018. This limited its ability to identify these
deficiencies.
page 65
39199251
E.1.5.2 Transaction monitoring program
339 These contraventions are serious because:
(a) The AML/CTF Act reposed a high degree of trust in Westpac to monitor transactions,
having regard to the ML/TF risks of its own business.
(b) Appropriate risk-based transaction monitoring is central to ensuring that matters that may
be suspicious for the purposes of section 41 of the AML/CTF Act are identified and
reported to AUSTRAC and law enforcement. Appropriate risk-based transaction
monitoring is central to Westpac’s understanding of its own ML/TF risks, including
emerging risks.
(c) In mid-2015, Group Audit prepared an audit report that included an issue raised by WIB
Financial Crime regarding deficiencies in the Group’s transaction monitoring program with
regard to the monitoring of certain transactions, including international transactions. The
Group Audit report included a management action plan, which required a detailed
analysis of the current state of the transaction monitoring program to determine the extent
of gaps. In August 2015, Enterprise Financial Crime circulated a memorandum outlining
the current scope of Westpac's transaction monitoring program. Over the course of 2016
and 2017, Westpac took actions to address transaction monitoring issues in other
jurisdictions. In August 2017, gaps in the transaction monitoring program were again
identified.
(d) Westpac did not appropriately monitor aspects of its international payment flows in the
billions of dollars that carried higher ML/TF risks, including risks associated with tax
offences and child exploitation. This failure exposed the Australian financial system and
Australian system to these risks.
(e) Payment flows through vostro accounts carry higher ML/TF risks which must be subject
to appropriate risk-based monitoring to protect the integrity of the Australian payments
system. For several years, Westpac failed to appropriately monitor these international
payment flows.
(f) If transactions are not appropriately monitored, unusual or suspicious activity cannot be
identified and reported to AUSTRAC. Westpac’s failure to appropriately monitor billions of
dollars of international payment flows could have impacted the ability to identify and
disrupt possible suspicious activity.
(g) While Westpac conducted some independent review in relation to its Part A Program in
the period 2014 to 2017, it did not conduct a review that fully met the requirements of Part
9.6 of the AML/CTF Rules until 2018. This limited its ability to identify these deficiencies.
(h) In the case of the failure to adequately monitor for indicators of CEM typologies:
(i) In December 2013, AUSTRAC published typologies on the child exploitation risks
of low value payments to the Philippines, which were available to Westpac. From
May 2016, senior members of Westpac's financial crime function were aware of
heightened CEM risks associated with low value payments to the Philippines.
Some senior members of Westpac's financial crime function were also aware of
the fact that CEM specific detection monitoring was not being applied across non-
LitePay international payment products that facilitated such payments. Whilst
senior management were advised that heightened risks associated with low value
page 66
39199251
payments were recently highlighted in the Report on the Statutory Review of the
AML/CTF Act, they were not advised that the Report referred to heightened risks
related to child exploitation. Nor was the Board advised of heightened CEM risks
connected with LitePay;
(i) Westpac did not have appropriate and timely regard to all Guidance; and
(ii) in the absence of appropriate risk-based transaction monitoring, Westpac was not
in a position to identify all transactions potentially indicative of CEM typologies.
(i) Westpac should have implemented more appropriate transaction monitoring than it did.
This may have generated more suspicious matter reports to AUSTRAC.
E.1.5.3 Systems and controls for IFTI reporting
340 These contraventions are serious because:
(a) Westpac did not have appropriate end-to-end reconciliation, assurance and adequate
oversight processes to ensure that it was reporting IFTIs to AUSTRAC on time and with
complete payer information where it had an obligation to do so under section 45 of the
AML/CTF Act.
(b) Westpac did not identify that over 72% of all incoming IFTIs received by Westpac for the
period 5 November 2013 to 3 September 2018 had not been reported.
(c) In June 2014, Group Audit identified that there was inadequate end-to-end
understanding, documentation and monitoring over the IFTI reporting process.
Management undertook a number of actions to address the issues raised by Group Audit,
which led to Group Audit closing the issue in January 2016. However, weaknesses in
Westpac's data management and technology systems in relation to AML/CTF compliance
persisted.
(d) As a result of the failure to file the IFTIs on time, AUSTRAC, the ATO and other law
enforcement agencies have been deprived of timely information relating to over $11
billion in international payments for up to 6 years.
(e) IFTIs assist in the process of revenue collection. Of the IFTI reports lodged late by
Westpac, over 5.7 million transactions fall outside of the statutory limits the ATO operates
under in respect to taking corrective action against taxpayers who have lodged tax
returns. The value of the reported funds in respect to these transactions is $2.9 billion.
(f) Late IFTI reporting delays and hinders law enforcement efforts. Timely access to IFTI
information facilitates the tracking of off-shore movements of funds resulting from tax
evasion and other crime, and assists in the process of revenue collection and the
recovery of proceeds of crime.
(g) Reduced payment transparency with the Direct ACM arrangements with Banks A and F
undermined Westpac’s ability to give IFTI reports to the AUSTRAC CEO that contained
all the information required by the AML/CTF Rules.
(h) As Westpac did not always obtain full information about payers as required to be included
in IFTI reports, the ability to identify possible suspicious conduct has been compromised
or lost.
(i) Of the 2,314 IFTI reports lodged late relating to LitePay:
page 67
39199251
(i) 18 related to 7 of the first 12 customers with respect to whom Westpac had
identified transactions suspected to be indicative of child exploitation;
(ii) 19 related to customers 27, 41, 45, 68, 81, 104, 127, 139, 160, 186, 210 and 221
with respect to whom Westpac had identified transactions suspected to be
indicative of child exploitation;
(j) AUSTRAC, the ATO and other law enforcement were not given timely intelligence in
relation to those 37 international transfers. During the Relevant Period, Westpac reported
to AUSTRAC approximately 4,773 IFTIs relating to the 262 customers within 10 days of
the relevant international transfers taking place.
E.1.6 Ongoing Customer Due Diligence – contraventions of section 36 of the AML/CTF
Act
341 These contraventions are serious because:
(a) Westpac’s failure to conduct appropriate ongoing customer due diligence in relation to the
262 customers was systemic and occurred over a number of years.
(b) Some Guidance on CEM typologies had been available to Westpac at all times during the
Relevant Period. In December 2016, AUSTRAC provided reporting entities, including
Westpac, with methodology briefs detailing the key indicators for the purchase of
livestreaming child exploitation material, involving international funds transfer instructions
to the Philippines and South East Asia.
(c) Given the serious nature of CEM risks, it is important for Westpac and other reporting
entities to ensure that they have appropriate risk-based controls for transaction
monitoring and enhanced customer due diligence with respect to these risks
(d) Had Westpac appropriately monitored its customers in relation to CEM, it may have
identified activity indicative of CEM sooner. Had this activity been identified sooner, it
could have been reported to AUSTRAC and law enforcement sooner, through SMRs.
Had this activity been identified sooner, Westpac would have been in a position to
undertake additional steps to identify, mitigate and manage the risks of ongoing CEM. In
some cases, Westpac could have reported customers to AUSTRAC a number of years
earlier.
(e) Westpac failed to identify activity potentially indicative of child exploitation risks by failing
to implement appropriate transaction monitoring detection scenarios. Three of the
customers the subject of these proceedings had prior convictions relating to child
exploitation offences. AUSTRAC advises that one of these customers has been arrested
in relation to further child exploitation offences since the commencement of these
proceedings. AUSTRAC advises that other customers are being assessed further for
possible investigations.
E.2 Loss or damage suffered
342 Westpac is a large corporation operating in an industry with known ML/TF risks. The AML/CTF
Act reposes a high degree of trust in Westpac to identify, mitigate and manage the ML/TF risks of
its own business. Financial service providers play an important role in combating financial crime.
343 It is essential to the integrity of the Australian financial and payments system that a major bank
such as Westpac has compliant and appropriate risk-based systems and controls in place to
page 68
39199251
identify, mitigate and manage ML/TF risk when providing designated services. Organised crime
puts the financial sector and the community at risk of harm and undermines the trust Australians
put in our financial institutions.
344 It is also essential to the Australian and global financial systems that international payment
instructions are transparent and that the higher ML/TF risks of correspondent banking
relationships are appropriately managed.
345 Money laundering is fundamentally about obscuring the origin and destination of funds. For this
reason, payment transparency is one of the basic foundations of AML/CTF risk management and
compliance. Payment systems that are not transparent can be exploited by organised crime, can
facilitate tax offences and can impede law enforcement investigations.
346 A lack of transparency with international payments that pass through the Australian payments
system exposes global payments systems to the same risks. This also undermines the integrity,
safety and reputation of the Australian payments system.
347 It is critical to ensuring payment transparency that the senders or recipients of IFTIs file reports of
these instructions with AUSTRAC in a timely and complete manner.
348 Correspondent banking relationships present higher ML/TF risks associated with cross border
movements of funds, jurisdiction risk (including the risks of operating in certain foreign countries)
and risks associated with the transparency of the identity and source of funds of customers of the
correspondent banks. Westpac allowed foreign institutions to operate within its banking
environment and within the Australian payments system without appropriate due diligence, risk
assessments and monitoring. Westpac’s failures have exposed Westpac, the Australian
payments system, and some international payment channels to greater ML/TF risks including in
relation to low value payments, which do not always involve inherently low ML/TF risks.
Westpac’s failures have also exposed people to the risks of serious crime.
349 The late and, in some cases, incomplete IFTI reports, have deprived AUSTRAC, law enforcement
and the ATO of intelligence to which they are entitled involving movements of over $11 billion
dollars in international payments over many years. As the international payments system allows
money to move quickly, late and incomplete IFTI reports result in a lack of transparency in
relation to the payments, compromising the ability of law enforcement to trace money, to
investigate and prosecute serious crime and to recover the proceeds of crime.
350 Over 5.7 million late IFTI reports involve transactions totalling AUD 2.9 billion that fall outside of
the statutory limits the ATO operates under in respect of taking corrective action against
taxpayers who have lodged tax returns. Westpac’s failures to lodge IFTI reports on time and, in
some cases, complete IFTIs, has risked undermining the Australian taxation system.
351 Westpac’s failure to pass on information about the origin of transferred money to other financial
institutions in funds transfer chains reduced transparency in relation to these payments and may
have impacted the ability of those other financial institutions to manage ML/TF risk. The absence
of readily available information about the origin of funds transfers may compromise the ability of
law enforcement and the ATO to investigate and prosecute serious crimes.
352 Westpac’s failure to appropriately identify all ML/TF risks from international payment flows and to
appropriately monitor these transactions for suspicious activity has resulted in the loss of
opportunity to detect and disrupt possible unlawful activity, including possible child exploitation,
money laundering, terrorism financing and tax offences.
page 69
39199251
353 Westpac failed to identify activity potentially indicative of child exploitation risks by failing to
implement appropriate transaction monitoring detection scenarios. Three of the customers the
subject of these proceedings had prior convictions relating to child exploitation offences.
AUSTRAC advises that one of these customers has been arrested in relation to further child
exploitation offences since the commencement of these proceedings. AUSTRAC advises that
other customers are being assessed further for possible investigations.
E.3 Prior contraventions
354 Westpac has not previously been found to have engaged in any contravention of the AML/CTF
Act.
E.4 Westpac's size and financial position
355 Westpac reported a Net Profit for the full year ending 30 September 2019 of approximately
$6,790 million. Of this, approximately 70% was returned to shareholders through dividends with
the balance reinvested. Westpac reported a Net Profit for the half year ending 31 March 2020 of
approximately $1,190 million.
356 Westpac maintains approximately 1,140 branches, servicing approximately 14.2 million
customers.
Westpac employs approximately 33,300 people.
357 Reflecting its scale, size of customer base and geographic spread of operations, at all material
times Westpac has operated numerous and complex computer and management systems and
controls.
E.5 Board and senior management involvement
358 The contraventions set out above were not a consequence of any deliberate intention to
contravene the AML/CTF Act. At all times the Westpac Board and senior management sought to
ensure that Westpac would comply with its obligations under the AML/CTF Act.
359 Westpac acknowledges that the AML/CTF Rules require ongoing oversight of Part A of
Westpac’s Program by the Board and senior management, and that the primary purpose of Part
A is to identify, mitigate and manage ML/TF risk.
360 Westpac acknowledges that its Board and senior management are responsible for seeking to
ensure the Westpac Group manages the ML/TF risks faced by its business.
361 During the Relevant Period, Westpac’s Board and senior management sought and received
regular and detailed reports in relation to Part A of Westpac's Program and the identification,
mitigation and management of ML/TF risks reasonably faced by Westpac from personnel with
direct responsibility and oversight of the AML/CTF function. Where issues were identified, the
Board and senior management sought to ensure these issues were addressed.
362 Despite those steps, Westpac now acknowledges that for much of the Relevant Period:
(a) the reporting to the Board and senior management on AML/CTF compliance and the
identification, mitigation and management of ML/TF risk reasonably faced by Westpac
lacked completeness and sufficient insight;
(b) while Westpac's AML/CTF risk management framework was subject to some
independent reviews by its internal audit function and by third party experts, Westpac did
not complete an independent review that satisfied all of the requirements of Part 9.6.5 of
page 70
39199251
the AML/CTF Rules which are for the purposes of assessing the Part A Program's
compliance and effectiveness;
(c) some areas of ML/TF risk were insufficiently understood within key areas of Westpac;
(d) there was, at times, a lack of sufficient speed in addressing instances where Westpac
identified that it was operating outside of its ML/TF risk appetite;
(e) there was a lack of sufficient clarity and understanding within Westpac as to the particular
accountabilities between the three lines of defence responsible for financial crime
controls;
(f) the AML/CTF compliance and risk management functions were not adequately
resourced;
(g) there were weaknesses in Westpac's data management and technology systems in
relation to AML/CTF compliance;
(h) amendments to Westpac's Part A Program were approved by senior management
committees, with the result that the Board did not have complete oversight over that
process; and
(i) AML/CTF compliance and risk management was not as rigorous as it should have been.
363 Westpac’s Board and senior management oversaw a range of measures directed at improving its
AML/CTF function and the identification, mitigation and management of ML/TF risks, including the
measures outlined at E.7 below. These improvements were directed at addressing, among other
things, the shortcomings listed at paragraph 362 above.
364 Many of the improvements occurred from 2017 onwards. Westpac now acknowledges that
improvements could and should have been made earlier.
365 In recognition of the importance of compliance with Westpac's AML/CTF obligations and the
significance of the breaches which are the subject of the proceedings, consequences were
applied to a number of members of Westpac staff and senior management.
E.6 Cooperation with AUSTRAC and contrition
366 At all times throughout the Relevant Period and since, Westpac has invested in building a
productive, cooperative and transparent relationship with AUSTRAC, including through
collaboration and information sharing. This has ranged from informal updates to regular progress
meetings at which Westpac provided updates to AUSTRAC on the status of various projects
being undertaken by Westpac to uplift its AML/CTF policies, controls and procedures.
367 Westpac's cooperation and collaboration with AUSTRAC has included its involvement in the
Fintel Alliance, of which Westpac was a founding member and is a member of the Fintel Alliance
Strategic Advisory Board. The Fintel Alliance is a public-private partnership launched in 2017 that
brings together a range of organisations involved in the fight against money laundering, terrorism
financing and other serious crime.
368 AUSTRAC’s investigation into Westpac and the matters the subject of these Proceedings
commenced following a voluntary self-report by Westpac on 15 August 2018 of identified IFTI
non-reporting. This voluntary self-report was made promptly upon senior management becoming
aware of the issue.
page 71
39199251
369 Following the identification of the IFTI non-reporting in respect of the ACM arrangements,
Westpac responded quickly to identify root causes and scope a remediation program. Westpac
attended frequent meetings with AUSTRAC in late 2018 and 2019 to update AUSTRAC on
progress of the remediation program.
370 At all times since August 2018, Westpac has cooperated with AUSTRAC in respect of its
investigation and engaged constructively with AUSTRAC in relation to responding to the
Statement of Claim. In particular, and in addition to the remediation, corrective measures and
enhancements discussed in section E.7. below Westpac has:
(a) continued to work cooperatively with AUSTRAC on matters relating to AUSTRAC’s
ongoing supervisory role and in the conduct of the Proceedings;
(b) following the commencement of the Proceedings:
(i) promptly expressed contrition and its desire to work with AUSTRAC to resolve
the Proceedings;
(ii) responded to AUSTRAC's extensive requests for further information and
documents;
(iii) initiated communication with AUSTRAC in relation to the mediation and
participated in the mediation process; and
(iv) entered all of the admissions in Section D above at the earliest available
opportunity.
371 Further, Westpac:
(a) agrees that money laundering and terrorism financing undermine the integrity of the
Australian financial system and impact the Australian community's safety and wellbeing;
(b) acknowledges that, as a bank, Westpac plays a key role in combating money laundering
and terrorism financing;
(c) accepts its accountability for the admitted contraventions;
(d) expresses its deep regret for those contraventions; and
(e) acknowledges the significant impact that deficiencies in its systems and processes can
have on efforts to combat money laundering and terrorism financing.
E.7 Remediation, corrective measures and enhancements
E.7.1 Outline of activities directed to AML/CTF enhancements
372 Westpac has advised AUSTRAC that it has undertaken the following activities.
373 Since 2014 Westpac has spent $632 million on financial crime compliance (including AML/CTF
compliance), and has made improvements to its technology platforms, personnel, processes and
procedures.
374 Reflecting its scale, size of customer base and spread of geographic operations, the systems and
controls that support Westpac's AML/CTF compliance are of such a scale and complexity that
effecting changes, upgrades and enhancements is necessarily time consuming and work must be
undertaken carefully having regard to achieving the optimal outcomes and the possibility of
unintended consequences.
page 72
39199251
375 In 2015, Westpac commenced a review of its financial crime IT system, Detica, which led to
Program Shield, a program to upgrade this system to facilitate a more efficient and coordinated
approach to financial crime management, including transaction monitoring and sanctions
screening. Given, its scale and complexity, the design and implementation activities associated
with the project have occurred over a number of years. Work commenced on the upgrade in 2016
and continues. In total, since 2015, Westpac has invested $78.37m in phases 1 to 3 for upgrades
to Detica, with $55.2m approved in 2019 for Phase 4 through to FY 2021.
376 Over a number of years, Westpac has made structural and resourcing changes to its first line and
financial crime teams to facilitate a more consistent and effective approach to financial crime
management across the Group.
377 From 2015 to 2019, Westpac implemented numerous plans of work to identify and address
issues relevant to AML/CTF compliance. In September 2017, an AML/CTF Working Group was
established. The Working Group met on an almost monthly basis, received regular updates and
tracked remediation of key AML/CTF issues until it was subsumed within broader financial crime
work programs in 2018.
378 From 2018, Westpac reframed its previous program of work into a broader integrated Financial
Crime Strategy for the Group and commenced a significant project of work to implement this
strategy (the Financial Crime Program). The Financial Crime Program currently comprises the
following streams of work:
(a) Operating Model & Governance;
(b) Risk Assessments;
(c) Know Your Customer;
(d) Transaction Monitoring;
(e) Customer and Transaction Screening;
(f) Third Party Risk Improvement and Due Diligence;
(g) Regulatory Reporting;
(h) Correspondent Banking; and
(i) Data Management and Improvement.
379 Significant enhancements have also been made to, among others, the Risk Assessment
Standard, Correspondent Banking Standard, TMP Standard and Regulatory Reporting Standard
and their underlying processes and procedures. These enhancements are described in greater
detail below.
380 In 2017, WIB instituted its own program of work (named Project Emerald) to review and enhance
its financial crime risk management framework and controls across the following individual
workstreams – Global Standards, Customer Lifecycle Management, Regulatory Client Uplift, Risk
Assessment, Reporting, Anti-bribery and corruption , Training and Awareness, Transaction
Monitoring and Sanctions.
381 Further improvements prior to the commencement of the Proceedings include:
(a) a significant increase in the number of internal resources dedicated to financial crime,
doubling the number in the past three years (2017 to 2019) to approximately 750 people
as at November 2019, with a target of reaching 950 by the end of 2020;
page 73
39199251
(b) the establishment of a Financial Crime Program Steering Committee in November 2018,
which was sponsored by the Chief Risk Officer and the General Manager, Compliance.
That has since been replaced by a Financial Crime Program Portfolio Control Group in
July 2020, sponsored by the Group Executive, Financial Crime, Compliance and Conduct
and Chief Transformation Officer, Financial Crime, Compliance and Conduct;
(c) the appointment of a new Global Head of Financial Crime (Westpac's Money Laundering
Reporting Officer) in April 2019, who since November 2019, has reported directly to the
Group Chief Risk Officer (and now the Group Executive, Financial Crime, Compliance &
Conduct) as a General Manager; and
(d) the establishment of the Group Financial Crime Risk and Compliance Committee in
October 2019, responsible for reviewing and monitoring the strength of the Financial
Crime Framework.
382 Since the Proceedings commenced, Westpac has advised AUSTRAC that it has continued to
implement enhancements to its approach to AML/CTF compliance.
383 The enhancements include:
(a) the establishment of the Board Legal, Regulatory and Compliance Committee, which is
responsible for overseeing, among other matters, financial crime, and succeeds the
Board Financial Crime Committee, established in November 2019;
(b) the appointment of a new role of Group Executive responsible for Financial Crime,
Compliance and Conduct in May 2020;
(c) engaging Promontory to provide external assurance to Westpac's Board over the design
effectiveness of the Financial Crime Strategic Plan (and Westpac's program of work to
implement that plan);
(d) appointing an independent Advisory Panel to assess the Board's governance and
accountability in relation to financial crime. The Advisory Panel made a number of
recommendations which Westpac has accepted and included in its remediation program;
(e) conducting an internal review of its financial crime governance model to clearly specify
individual accountabilities and embed monitoring processes, and the financial crime
assurance model to better define the three lines of defence model to ensure clarity of
roles and responsibilities;
(f) following Westpac's Culture, Governance and Accountability (CGA) re-assessment,
Westpac has established a multi-year Customer Outcomes and Risk Excellence (CORE)
Program, which is directed towards the management of non-financial risk;
(g) developed and resourced a Monitoring and Testing team with an associated framework,
dedicated to continuous testing of financial crime controls across Line 1 and Line 2; and
(h) undertaking significant improvements to and a refresh of Westpac's financial crime
training program for the Board, senior management and staff in relation to AML/CTF
compliance.
384 Westpac has also closed a number of the products that are the subject of the Proceedings,
terminating the:
(a) the ACM1 arrangements;
page 74
39199251
(b) the OSBSB arrangements with Bank B and Bank J; and
(c) the LitePay product.
385 Westpac has served notice to terminate the ACM2 and ACM3 arrangements, as well as its
relationship with Ordering Institution A.
386 Westpac has also made a number of enhancements specific to the areas of contravention as
described below.
E.7.2 IFTI reporting contraventions
387 Since Westpac self-reported the non-reporting of IFTIs to AUSTRAC, it has taken a number of
actions to remediate the non-reporting, address root causes and improve its governance in
relation to IFTI reporting, reconciliation processes and data quality. Those actions include:
(a) Westpac engaged Promontory to perform a review of the non-reported IFTIs that
Westpac received from Banks A, B, C and D through the ACM arrangements in place
with those banks, as well as the non-reported IFTIs received by Westpac through the
arrangements with Ordering Institution A, and the non-reported IFTIs sent by Westpac
through the outgoing arrangements with Bank B. Promontory performed a lookback
review in relation to these IFTIs to understand the ML/TF risk profile of these
transactions. Westpac provided the Promontory reports to AUSTRAC. As a result of the
analysis undertaken by Promontory, Westpac provided four SMRs to the AUSTRAC
CEO.
(b) In August 2018, Westpac established Project 106, an internal Westpac project to
ascertain the scale of any IFTI non-reporting in respect of the Direct Model ACM
arrangements, address any identified non-reporting by back-capturing non-reported IFTIs
and providing those IFTI reports to AUSTRAC (and having that back-capture process
subjected to external independent validations), and implemented additional processes
and controls to facilitate IFTI reporting for those arrangements moving forward. All non-
reported IFTIs referred to in C.1 above have now been reported to the AUSTRAC CEO.
(c) In September 2018, Westpac commenced a detailed analysis of international payment
flows involving Westpac’s financial institution clients (including financial institutions and
non-bank financial institutions) outside of the ACM arrangements to determine whether
any that were required to be reported as IFTIs were not in fact reported.
(d) To ensure that non-reporting of IFTIs similar to that which occurred with respect to
Ordering Institution A does not occur in the future, Westpac has updated its
implementation review checklist to incorporate changes to counterparty details. This new
checklist is a mandatory requirement for all new customer solution implementation
requests, as well as requests to update existing customer solutions.
(e) Westpac has ceased all Direct Model ACM arrangements with the following banks. In
particular:
(i) the Direct Model ACM arrangement with Bank A ceased on 12 November 2018;
(ii) the Direct Model ACM arrangements with Bank D ceased on 31 January 2019;
(iii) the Direct Model ACM arrangement with Bank C ceased 2 February 2019; and
(iv) the Direct Model ACM arrangement with Bank B ceased on 4 February 2019.
page 75
39199251
(f) Westpac also:
(i) ceased the OSBSB arrangements with Bank B on 30 September 2019 and Bank
J on 10 January 2020; and
(ii) closed the LitePay product in November 2019.
(g) Westpac has implemented the following additional controls, which it continues to
enhance:
(i) an IFTI reporting reconciliation tool (implemented in 2019 and enhanced in 2020)
to ensure all IFTIs sent or received by Westpac are reported to the AUSTRAC
CEO within the time periods required by the AML/CTF Act. The tool reconciles
transactions provided by source systems (such as SWIFT Alliance Messaging
Hub, WIBS referrer and Qvalent) against those provided to Detica and AUSTRAC
Online, and identifies any potential non-reporting issues that may require
remediation actions;
(ii) an IFTI data enrichment tool to improve the data quality in IFTI reports that are
provided to the AUSTRAC CEO. The tool obtains customer data from customer
source systems to enrich the customer data in outgoing IFTIs ordered by
Westpac customers; and
(iii) an IFTI conformance tool that is designed to assess the quality of data included in
IFTI reports against the specifications in the AML/CTF Rules. The tool identifies
data deficiencies at source, allowing for any remediation and for Westpac to track
over time the data quality included in IFTI reports.
E.7.3 Origin of international funds transfers contraventions
388 The actions referred to paragraph 387 above are also relevant to the contraventions of section 64
of the AML/CTF Act.
E.7.4 Records of origin of international funds transfers contraventions
389 The contraventions described in paragraph 136 above occurred as a result of historical back-up
systems that have now been replaced or as a result of configuration issues in current systems
that were identified and fixed prior to the commencement of the Proceedings.
390 Since 2018, Westpac has also undertaken a number of further enhancements to its AML/CTF
record keeping systems, including:
(a) increasing the length of time that original customer instructions are maintained in an
‘online’ state within the WIBS systems to approximately six months; and
(b) improved monitoring of back-up system performance to ensure timely detection and
rectification of any failures.
391 Since the proceedings were filed Westpac has updated its Group Records Management Policy,
which will be implemented from October 2020 under the Enterprise Records Management
Program. The new Policy will more clearly define the roles and responsibilities within business
units including relevant governance;
E.7.5 Correspondent banking due diligence contraventions
page 76
39199251
392 Westpac's approach to managing the ML/TF risk posed by its correspondent banking
relationships has developed in recent years, during which time it has worked constructively with
AUSTRAC.
393 This has included:
(a) making changes to its correspondent banking due diligence processes, systems and
controls to address a requirement and recommendations made by AUSTRAC in its 2012
Compliance Assessment Report into Westpac's correspondent banking controls. Those
changes included:
(i) addressing the recommendation by AUSTRAC that Westpac review the systems
and control processes formerly used for rating correspondent banks so that that
the composite findings from the Preliminary Risk Assessments and Due Diligence
Assessments that were used to determine the appropriate level of risk associated
with the correspondent banking relationships were accurate, and did not merely
reflect the “jurisdiction” risk considerations only. That recommendation was
addressed by Westpac introducing the Composite Risk Rating into its
assessments;
(ii) addressing the recommendation by AUSTRAC that Westpac should include a
“date of completion” on all correspondent banking review documents, by adding
such a “date of completion” entry into all DD Workbooks;
(iii) addressing the recommendation by AUSTRAC that the date of the next review
date be included on the "Dashboard" tab of the Due Diligence Assessment so
that the Due Diligence Assessment review was completed in a timely manner, by
more routinely completing the “next review date” field in the DD Workbooks; and
(iv) addressing the recommendation by AUSTRAC that when a trigger event takes
place, the applicable trigger report be included in the correspondent bank’s file,
by requiring that the teams undertaking the Preliminary Risk Assessments and
Due Diligence Assessments to amend the Reporting Diary, including the next due
date and depth of the review, and raising a trigger report, which is saved under
the country folder in Westpac’s files;
(b) making changes to its correspondent banking due diligence processes, systems and
controls to address further recommendations made by AUSTRAC in its 2016 Compliance
Assessment Report into Westpac’s correspondent banking controls. In particular,
Westpac:
(i) made changes to the CB Procedures Manual to respond to AUSTRAC’s
conclusion that Westpac did not demonstrate in the DD Workbook a thorough
assessment of the existence and quality of any AML/CTF regulation in the
correspondent bank's country of domicile or that of its parent when documenting
Due Diligence Assessments;
(ii) made changes to the Westpac Questionnaire to respond to AUSTRAC’s
conclusion that, in the absence of a trigger report (which is created after a trigger
event if the event is deemed material), Westpac did not demonstrate in its
periodic review documentation the assessment of any material changes in
respect of the matters reviewed in the Due Diligence Assessment;
page 77
39199251
(iii) made changes to the Dashboard in the DD Workbook to respond to AUSTRAC’s
conclusion that AUSTRAC was unable to identify evidence in Westpac's Due
Diligence Assessment of assessment of the nature of the correspondent bank’s
ongoing business relationship with Westpac, including the types of transactions
carried out as part of that relationship or any material change in the nature of this
relationship. In particular, the following additional questions were added to the
Dashboard (section 3.8) in the 'Business Value Check / Assessment Decision'
section:
(A) “[Relationship Manager] Comments: Please confirm if there has been any
material change in the products and services used by the customer since
last review?”;
(B) “[Network Manager] Comments: Please confirm if there has been any
noticeable change to the volume or value of transactions since last
review?”;
(iv) made changes to its CB Procedures Manual to respond to AUSTRAC’s
recommendation that Westpac should enhance its oversight of correspondent
banking periodic review process by providing management information to key
stakeholders on any reviews not completed within the specified timeframes in the
correspondent banking documentation. In particular, Westpac replaced the
monthly correspondent banking stakeholders meeting with the CBDDC in July
2017, which also meets monthly and is co-chaired by the General Manager of
GTS and the General Manager of CIB. The CBDDC has the following objectives:
(v) monitor new and ongoing correspondent banking relationships;
(A) block, terminate, decline or limit any correspondent banking relationships
outside of risk appetite;
(B) review overall composition of correspondent banking customers and
make decisions regarding specific areas of concern;
(C) monitor and make decisions in response to potential risk implications of
any new or amended products, processes and controls in relation to
correspondent banking;
(vi) made changes recommended by AUSTRAC to Westpac’s RFO Procedures
Manual for clarity and comprehensiveness so that the manual was consistent with
the key policies and procedures, including the AML/CTF program and the CB
Standard;
(vii) made changes recommended by AUSTRAC to its CB Procedures Manual so that
in its Preliminary Risk Assessments and Due Diligence Assessments Westpac
document any discrepancies identified in those assessments. Those changes
included updating the Dashboard template by adding sections for the RFO Senior
Due Diligence Manager, Relationship Manager and Network Manager to provide
commentary and implementing a process whereby where there were any
discrepancies identified, the manager would resend the DD Workbook back to the
analyst undertaking the assessment and highlight any issues identified for
page 78
39199251
remediation. Once remedied, the analyst would resend the DD Workbook back to
their manager for review; and
(viii) made changes recommended by AUSTRAC to update the CBRA Model to
include, where applicable, the reasons for assessing the correspondent bank to
have increased risk or adverse findings.
394 Westpac has made further enhancements to its processes, systems and controls in relation to
correspondent banking due diligence as part of an initiative to align itself with global best practice,
reduce its number of correspondent banking relationships, and simplify the banking services and
products it offers to its correspondent banks. This has included the following steps, all of which
Westpac undertook or initiated prior to the commencement of these Proceedings:
(a) WIB has offboarded a large number of correspondent banking relationships since July
2017 which do not meet its risk appetite or strategic or commercial objectives; and
(b) Westpac introduced an updated and enhanced CB Standard, approved by the Board on
11 December 2019, with new procedures to replace the CB Procedures Manual (named
the "Correspondent Banking Due Diligence Procedures" (CBDD Procedures)).
(c) The changes made to the CB Standard include the following enhancements:
(i) broadening the definition of a correspondent banking relationship , beyond the
definition in the AML/CTF Act, such that Westpac now treats non-bank financial
institutions that use correspondent banking products and domestic correspondent
banking relationships as correspondent banking relationships. A non-bank
financial institution is defined expansively in the CBDD Procedures as any
financial institution that offers financial services but does not have a banking
licence and cannot accept deposits from the public. By contrast, section 5 of the
AML/CTF Act limits the definition of a correspondent banking relationship to one
with the following financial institutions: an authorised deposit taking institution, a
bank, a building society, a credit union or a person specified under the AML/CTF
Rules;
(ii) stipulating prohibited correspondent banking relationships and restricted activity
through correspondent banking relationships;
(iii) changing the risk rating methodology for correspondent banks so that all
correspondent banks are rated as 'high' or 'very high' risk, with all 'very high' rated
correspondent banks subject to an annual Preliminary Risk Assessment and Due
Diligence Assessment, and 'high' rated correspondent banks subject to a
Preliminary Risk Assessment and Due Diligence Assessment every two years;
(iv) more clearly articulating the separate requirements in relation to conducting an
initial Preliminary Risk Assessment and Due Diligence Assessment prior to
onboarding and ongoing Preliminary Risk Assessments and Due Diligence
Assessments throughout the correspondent banking relationship;
(v) the following approval processes:
(A) approval of all correspondent bank relationships is required from the
General Managers of GTS and CIB, Head of Financial Crime, GTS and
the WIB Financial Crime Officer; and
page 79
39199251
(B) approval of 'very high' rated correspondent banks also requires approval
of the General Manager, Financial Crime.
(d) The changes made to the CBDD Procedures and its related guidelines and processes
include the following enhancements:
(i) introducing additional identification and verification requirements to align with
AUSTRAC and international regulatory guidance and global industry standards;
(ii) introducing a more qualitative assessment of the overall correspondent banking
relationship;
(iii) redefining Westpac's risk appetite in relation to correspondent banking and
ensuring that identified higher ML/TF risk indicators are considered and that the
assessment of these indicators is documented more clearly;
(iv) introducing site visits to, or calls with, correspondent banks to improve the depth
of the assessment of the correspondent banks' AML/CTF and sanctions controls;
(v) redesigning the periodic review cycles, trigger event reviews and relevant
processes (including customer transactional activity reviews) to provide for
regular reviews and assessments of the correspondent banking relationships
based on the risks they present (including the sale of a new product); and
(vi) a more robust quality checking and quality assurance process.
395 Further work, also commenced prior to the commencement of these Proceedings, includes:
(a) the design of additional automated transaction monitoring scenarios to identify additional
ML/TF risk typologies associated with transactions made through vostro accounts,
implemented in the first quarter of 2020;
(b) updating guidance documents that underpin the CBDD Procedures, which was
completed at the end of February 2020; and
(c) a further review and reduction of the population of correspondent banks, to align Westpac
with its commercial strategy and risk appetite, and to support it in its aim to enhance the
quality of due diligence on its correspondent banking relationships.
396 Since the commencement of these Proceedings, Westpac has:
(a) reviewed the Statement of Claim to confirm whether any deficiencies have been
addressed through the improvement work already undertaken or, where not, that there is
an action plan to address those deficiencies or to make further enhancements;
(b) commenced re-conducting Preliminary Risk Assessment and Due Diligence Assessments
across the correspondent banking portfolio according to Westpac's new enhanced CB
Standard and CBDD Procedures. The re-review of Bank A Parent and Banks B to P has
been prioritised and completed, Westpac anticipates completing its re-review of all
relevant correspondent banks by the end of March 2021; and
(c) until a future date, currently anticipated to be the completion of the re-review of the
relevant correspondent banks, ceased:
(i) the opening of any new vostro or RMA arrangements as part of any new or
existing correspondent banking relationships; and
page 80
39199251
(ii) approving new jurisdiction or currency flows for existing correspondent banking
relationships;
(d) updated the DD Workbooks, RFO procedures and associated documents to align with the
CB Standard and CBDD Procedures; and
(e) developed, processes, standard operating procedures, key performance indicators, and
management information to ensure and measure adherence to Westpac's correspondent
banking risk appetite and to ensure appropriate exceptions approvals, monitoring and
oversight;
E.7.6 AML/CTF Program
Risk assessments and risk-based systems and controls
397 Since 2017, Westpac has undertaken a significant body of work to improve its approach to ML/TF
risk assessments, including product and channel ML/TF risk assessments. Prior to the
commencement of the Proceedings, the following work was completed:
(a) in late 2017, Westpac developed refreshed channel and product ML/TF risk assessment
methodologies. This included a new process for completing standalone channel risk
assessments; and
(b) starting in late 2017, divisions within Westpac were required to review and update current
product and channel risk assessments under the revised ML/TF risk assessment
approach to ensure consistency across the Group.
398 Since the commencement of Proceedings, Westpac has been taking a number of further steps to
improve its approach to assessment of ML/TF risk. Enhancements undertaken or underway
include:
(a) developing a new Product Risk Assessment and Channel Risk Assessment methodology
and updating the Product and Project Risk Assessment tool;
(b) enhancing the product and channel risk assessment questionnaires to ensure appropriate
coverage of ML/TF risk attributes relevant to its products and channels (based on a
review and assessment of a number of AUSTRAC papers and publications, including
relevant AUSTRAC risk assessments), and to support the identification of whether
products and channels will generate reporting obligations;
(c) mandating an identification and assessment of key controls relied on to mitigate and
manage the ML/TF risks posed by products and channels to support the derivation of a
residual risk rating;
(d) increasing the frequency with which product and channel risk assessments will be
refreshed;
(e) clarifying and refining the defined triggers for refreshing product and channel risk
assessments;
(f) enhancing the methodology and process for completing its enterprise-wide AML/CTF risk
assessment;
(g) completing the enterprise-wide AML/CTF risk assessment;
(h) mandating a reassessment of all products and channels using the new methodology; and
page 81
39199251
(i) retaining Product Risk Assessments and Channel Risk Assessments in a central registry.
Transaction monitoring
399 Prior to the commencement of the Proceedings, Westpac has:
(a) undertaken work to uplift its TMP Standard, completed in August 2018;
(b) consolidated responsibility for transaction monitoring controls with the appointment of a
new “Financial Crime Controls and Operations Officer” in September 2019, with an
additional dedicated Executive Manager for transaction monitoring commencing in April
2020;
(c) extended CSE transaction monitoring rules to non-LitePay channels;
(d) developed new detection scenarios to address gaps in the monitoring of high-risk
products; and
(e) delivered enhancements to its sanctions, terrorism financing and politically exposed
persons screening processes.
400 Since the commencement of these Proceedings, Westpac has undertaken further work to
enhance its transaction monitoring systems and controls, including:
(a) the establishment of a transaction monitoring governance forum to provide ongoing
governance over the continued effectiveness of the transaction monitoring program
(b) designing and implementing an end-to-end governance process for the transaction
monitoring program, which includes key performance indicators, controls, actions and
hand off points, together with a standard operating model for the transaction monitoring
program;
(c) conducting a detailed review of AUSTRAC publications and guidance against existing
detection scenarios to determine the adequacy of current scenarios and enhancing
detection scenarios where required;
(d) implementing an end-to-end process to interpret, embed and address AUSTRAC
AML/CTF guidance;
(e) conducting a further review of the detection scenarios for a number of existing products
and services that pose higher ML/TF risks to identify whether any enhancements are
required;
(f) assessing whether appropriate detection monitoring scenarios are in place to identify
transactions and customers that are outside of Westpac's risk appetite; and
(g) reviewing whether remaining non-SWIFT payment channels require further transaction
monitoring or sanctions screening.
401 With respect to child exploitation risk specifically, Westpac has:
(a) extended its automated detection monitoring scenarios for child exploitation risk to
SWIFT channel payments to a broader range of jurisdictions;
(b) amended its procedures so that where Westpac identifies a transaction that it determines
it has a reasonable basis to believe is suspicious in relation to potential CEM activity, an
SMR must be lodged with the AUSTRAC CEO within 24 hours (rather than 72 hours, as
required under section 41 of the AML/CTF Act); and
page 82
39199251
(c) made amendments to, and supplemented, its detection monitoring scenarios for CEM risk
to address newly published AUSTRAC and other guidance.
402 In relation to vostro account transaction monitoring, Westpac implemented additional detection
monitoring over vostro accounts at the end of February 2020, as described in paragraph 395(a). It
is conducting a further review of these scenarios to identify whether any further enhancements
could be made to the existing detection monitoring.
IFTI reporting
403 In addition to the steps outlined above in E.7.2, on 1 May 2019, Westpac updated the Regulatory
Reporting Standard to include a requirement that the Divisions must ensure and be satisfied that
there were processes and procedures in place (at a Group and/or Divisional level) to ensure that
all transactions facilitated by their Division, which meet the definition of an IFTI were reported to
AUSTRAC within the specified timeframes. This included a requirement that there were controls
in place to periodically reconcile the number of IFTIs received and sent against the number of
IFTI reports submitted to the AUSTRAC CEO.
E.7.7 Ongoing customer due diligence contraventions
404 Westpac has:
(a) terminated the transactional accounts of each of Customers 1-12 and placed a block on
certain products which Westpac cannot immediately exit, such as credit cards or home
loans with existing amounts owed to Westpac, or insurance products. Under these
products, the only transactions the customers can enter into are to repay amounts owed
to Westpac. Once the amount owed to Westpac has been repaid or the product term
expires, the account or product will be terminated;
(b) since the commencement of the Proceedings, made a number of improvements to its
enhanced customer due diligence process in relation to customers who have been
identified in SMRs filed with AUSTRAC in relation to CEM risk. Those improvements
include:
(i) reducing the maximum time for exit decisions to be reached and implemented in
relation to customers in relation to whom an SMR has been filed in relation to
CEM risk;
(ii) blocking certain payments for customers the subject of an exit decision in relation
to CEM risk in the period between an SMR being filed and the customer account
being closed; and
(iii) conducting additional training for relevant staff in relation to identifying and
monitoring for CEM risk.
405 Westpac is also in the process of making enhancements to its ECDD processes.
page 83
39199251
Date: 24 September 2019
...............................................
Sonja Marsic
AGS Lawyer
For an on behalf of Australian Government Solicitor
Lawyer for the Applicant
..............................................
Peter Haig
Solicitor for the Respondent
page 84
39199251
Annexure B
Bank Dates of Preliminary Risk
Assessments
Approval dates of Due Diligence
Assessments
Bank A Parent 25 March 2014
17 May 2016
25 August 2017
5 May 2014
1 July 2016
6 September 2017
B 22 May 2014
13 May 2016
18 April 2017
10 July 2014
14 June 2016
26 May 2017
C 16 February 2015
17 June 2016
17 May 2017
9 June 2015
6 July 2016
15 June 2017
D 6 February 2015
4 November 2015
19 September 2016
14 November 2017
23 February 2015
8 February 2016
23 February 2017
19 December 2017
E 7 April 2014
28 January 2016
17 January 2018
7 April 2014
24 June 2016
28 March 2018
F 6 February 2015
30 December 2015
29 November 2016
18 December 2017
18 February 2015
8 February 2016
22 February 2017
22 January 2018
Bank G Subsidiary 24 March 2015
16 December 2016
9 June 2015
26 May 2017
H 22 February 2016
14 February 2018
12 May 2016
7 May 2018
I 24 February 2014
7 March 2016
12 April 2018
18 June 2014
15 June 2016
8 May 2018
J 12 April 2016
17 November 2017
18 May 2016
19 December 2017
K 11 April 2014 5 May 2014
page 85
39199251
Bank Dates of Preliminary Risk
Assessments
Approval dates of Due Diligence
Assessments
25 July 2016
19 July 2017
29 July 2016
9 August 2017
L 29 October 2014
30 May 2016
26 May 2017
23 February 2015
15 June 2016
30 June 2017
M 21 November 2014
22 February 2016
16 January 2017
13 November 2018
23 February 2015
11 March 2016
5 April 2017
2 April 2019
N 19 March 2014
9 September 2016
1 August 2017
18 June 2014
20 October 2016
29 August 2017
O 24 September 2013
1 February 2016
10 August 2017
14 January 2014
29 March 2016
28 August 2017
P 2 January 2014
29 December 2015
20 February 2018
14 March 2014
12 May 2016
5 April 2018
page 86
39199251
Annexure C
A
B C
Customer Number First Transaction Consistent with Typologies First SMR Date
13
11/05/2017 20/12/2019
14
21/08/2017 6/05/2020
15
23/10/2019 30/12/2019
16
30/06/2017 19/12/2019
17
24/08/2018 20/04/2020
18
19/12/2018 17/04/2019
19
11/04/2016 22/11/2019
20
8/07/2017 30/12/2019
21
24/07/2018 11/03/2020
22
4/09/2018 22/07/2020
23
19/11/2016 22/01/2020
24
7/05/2018 28/11/2019
25
29/10/2015 28/11/2019
26
31/03/2016 16/12/2019
27
27/06/2016 19/12/2019
28
9/11/2015 16/12/2019
29
7/07/2016 18/12/2019
30
29/12/2014 22/07/2020
31
8/06/2017 4/10/2018
32
1/04/2015 16/12/2019
33
29/08/2017 17/03/2020
34
28/09/2016 11/12/2019
35
5/09/2018 3/03/2020
36
23/01/2017 28/11/2019
37
29/09/2014 12/12/2019
38
9/03/2015 28/11/2019
39
21/10/2015 20/12/2019
40
2/05/2016 20/12/2019
41
19/11/2018 23/07/2019
42
14/04/2016 12/02/2020
43
15/12/2015 3/02/2020
44
17/11/2014 27/12/2019
page 87
39199251
A
B C
Customer Number First Transaction Consistent with Typologies First SMR Date
45
28/11/2016 24/07/2018
46
2/02/2016 19/12/2019
47
8/01/2018 17/02/2020
48
6/10/2015 13/12/2019
49
26/09/2014 13/12/2019
50
21/04/2017 21/01/2019
51
12/10/2014 30/12/2019
52
7/03/2017 18/12/2019
53
9/05/2019 11/05/2020
54
25/02/2016 11/03/2020
55
12/05/2015 20/12/2019
56
27/06/2019 14/01/2020
57
4/02/2017 14/05/2020
58
29/02/2016 20/12/2019
59
19/10/2014 12/05/2020
60
11/10/2015 20/12/2019
61
23/03/2016 19/12/2019
62
9/03/2017 27/04/2020
63
22/03/2018 16/12/2019
64
1/06/2017 24/04/2020
65
11/04/2018 11/05/2020
66
6/03/2019 7/01/2020
67
7/12/2016 2/01/2020
68
15/08/2018 25/10/2019
69
20/11/2014 13/12/2019
70
6/08/2019 25/03/2020
71
16/02/2017 21/05/2019
72
4/02/2016 6/12/2019
73
3/10/2017 24/12/2019
74
21/10/2014 13/12/2019
75
27/01/2015 27/04/2020
76
19/07/2018 20/12/2019
77
17/10/2019 31/03/2020
page 88
39199251
A
B C
Customer Number First Transaction Consistent with Typologies First SMR Date
78
7/01/2019 12/05/2020
79
27/06/2016 19/12/2019
80
7/12/2016 17/12/2019
81
23/06/2015 6/09/2018
82
17/07/2015 18/12/2019
83
9/01/2015 21/01/2020
84
20/04/2017 19/12/2019
85
15/01/2016 19/12/2019
86
22/02/2019 17/04/2019
87
25/02/2016 19/12/2019
88
3/06/2015 6/04/2020
89
24/07/2017 20/12/2019
90
10/10/2018 17/04/2020
91
21/07/2016 17/03/2020
92
26/10/2015 10/12/2019
93
12/10/2015 27/09/2018
94
1/09/2018 5/05/2020
95
3/07/2017 16/12/2019
96
13/03/2016 12/12/2019
97
19/11/2015 22/01/2020
98
27/06/2018 12/12/2019
99
15/03/2018 21/05/2019
100
3/12/2014 20/01/2020
101
17/11/2015 21/01/2020
102
17/09/2015 16/12/2019
103
25/09/2016 29/01/2020
104
13/07/2018 6/12/2019
105
3/01/2018 12/12/2019
106
10/12/2016 20/12/2019
107
16/03/2017 13/05/2020
108
20/02/2018 7/05/2020
109
7/10/2019 31/03/2020
110
1/08/2017 3/03/2020
page 89
39199251
A
B C
Customer Number First Transaction Consistent with Typologies First SMR Date
111
15/07/2019 24/12/2019
112
21/07/2017 6/12/2019
113
10/10/2018 22/11/2019
114
8/10/2014 16/12/2019
115
1/04/2018 19/11/2019
116
7/12/2015 20/12/2019
117
21/02/2018 24/12/2019
118
7/12/2017 3/12/2019
119
28/11/2016 19/05/2020
120
11/01/2016 11/03/2020
121
20/01/2016 13/12/2019
122
30/09/2015 20/12/2019
123
21/08/2017 26/11/2019
124
3/04/2019 16/12/2019
125
26/03/2019 8/05/2020
126
18/10/2014 27/04/2020
127
1/09/2016 6/12/2019
128
2/01/2018 18/12/2019
129
15/05/2019 4/12/2019
130
1/12/2018 5/05/2020
131
2/09/2015 25/11/2019
132
3/06/2019 16/12/2019
133
3/08/2018 16/12/2019
134
1/09/2015 4/12/2019
135
16/08/2016 21/01/2020
136
27/10/2015 20/12/2019
137
17/11/2016 16/12/2019
138
27/01/2015 12/12/2019
139
17/11/2016 5/12/2019
140
8/12/2016 6/01/2020
141
31/08/2018 20/12/2019
142
21/06/2018 14/05/2020
143
15/12/2016 16/12/2019
page 90
39199251
A
B C
Customer Number First Transaction Consistent with Typologies First SMR Date
144
28/03/2017 20/12/2019
145
22/07/2015 5/05/2020
146
15/02/2016 19/12/2019
147
18/05/2016 29/11/2019
148
5/10/2015 25/11/2019
149
9/03/2018 6/12/2019
150
16/11/2016 5/12/2019
151
10/10/2017 24/02/2020
152
29/10/2015 19/12/2019
153
15/07/2019 13/01/2020
154
8/12/2015 20/12/2019
155
31/05/2016 19/12/2019
156
4/01/2019 16/12/2019
157
7/01/2018 13/05/2020
158
31/01/2018 11/11/2019
159
31/03/2019 10/12/2019
160
25/04/2019 7/05/2019
161
7/06/2019 15/05/2020
162
14/07/2017 20/08/2018
163
12/06/2017 13/05/2020
164
19/05/2017 11/12/2019
165
10/04/2017 10/02/2020
166
7/10/2016 6/05/2020
167
25/10/2018 17/12/2019
168
21/10/2015 11/05/2020
169
12/09/2016 12/12/2019
170
30/12/2016 16/12/2019
171
8/12/2016 25/02/2020
172
13/07/2018 20/12/2019
173
13/06/2016 21/11/2019
174
30/05/2018 19/12/2019
175
21/11/2016 16/12/2019
176
18/03/2015 13/11/2019
page 91
39199251
A
B C
Customer Number First Transaction Consistent with Typologies First SMR Date
177
24/07/2017 16/12/2019
178
30/08/2017 19/12/2019
179
8/09/2016 20/12/2019
180
17/12/2015 19/11/2019
181
18/04/2016 29/01/2020
182
2/11/2015 28/11/2019
183
13/05/2019 18/12/2019
184
20/02/2018 18/12/2019
185
10/10/2017 16/12/2019
186
17/09/2017 25/07/2018
187
8/01/2018 20/12/2019
188
17/10/2016 18/12/2019
189
7/12/2016 22/12/2019
190
16/07/2018 1/11/2018
191
23/10/2015 6/12/2019
192
21/12/2016 20/12/2019
193
8/01/2017 13/12/2019
194
3/09/2015 20/12/2019
195
12/04/2018 16/12/2019
196
11/01/2016 12/12/2019
197
17/07/2017 24/12/2019
198
27/04/2018 13/05/2020
199
30/05/2017 22/11/2019
200
22/09/2017 18/12/2019
201
14/09/2017 16/12/2019
202
3/09/2015 16/12/2019
203
28/12/2018 16/12/2019
204
22/09/2017 10/01/2020
205
11/02/2018 16/12/2019
206
29/08/2016 19/02/2020
207
1/05/2015 25/11/2019
208
4/04/2016 6/12/2019
209
12/01/2016 20/12/2019
page 92
39199251
A
B C
Customer Number First Transaction Consistent with Typologies First SMR Date
210
2/08/2016 15/11/2018
211
21/11/2015 3/12/2019
212
17/11/2018 19/11/2019
213
10/08/2016 19/12/2019
214
1/12/2016 18/12/2019
215
7/10/2014 21/01/2020
216
1/02/2016 18/12/2019
217
18/09/2017 19/05/2020
218
30/08/2016 17/02/2020
219
5/06/2016 16/12/2019
220
31/07/2017 2/02/2020
221
29/09/2014 11/12/2019
222
15/12/2018 27/04/2020
223
13/04/2018 3/02/2020
224
27/07/2016 19/12/2016
225
11/03/2017 2/01/2020
226
7/12/2016 16/12/2019
227
28/12/2018 6/12/2019
228
4/04/2018 20/12/2019
229
24/09/2019 21/01/2020
230
25/01/2016 19/11/2019
231
5/12/2016 16/12/2019
232
27/08/2018 13/12/2019
233
19/03/2016 20/12/2019
234
6/11/2018 14/05/2020
235
11/06/2015 19/12/2019
236
14/12/2015 20/12/2019
237
25/07/2016 18/12/2019
238
10/06/2016 21/04/2020
239
10/05/2017 22/01/2020
240
9/10/2018 10/12/2019
241
17/06/2015 25/02/2020
242
23/09/2015 16/12/2019
page 93
39199251
A
B C
Customer Number First Transaction Consistent with Typologies First SMR Date
243
3/12/2015 20/12/2019
244
11/01/2019 13/05/2020
245
29/03/2016 20/12/2019
246
15/02/2018 11/03/2020
247
19/10/2015 2/03/2020
248
8/03/2016 19/12/2019
249
21/11/2014 20/12/2019
250
19/12/2016 28/11/2019
251
04/09/2015 19/12/2019
252
1/07/2018 12/05/2020
253
13/02/2017 20/12/2019
254
31/07/2017 16/12/2019
255
15/12/2015 30/12/2019
256
31/07/2017 23/03/2020
257
10/02/2016 20/12/2019
258
13/02/2017 18/12/2019
259
18/11/2016 29/01/2020
260
14/12/2016 6/12/2019
Data sourced from publicly available filings. Our datasets may not be complete. Automated analysis can produce errors. If you believe any data on this page is incorrect, please contact us at hello@nzxplorer.co.nz. For informational purposes only. Not investment advice.