Introduction

Westpac released the Advisory Panel Report into Board Governance of AML/CTF Obligations on 4 June 2020. While the report appears to be focusing on Westpac’s AML/CTF compliance issues, the report provides valuable insights into management of non-financial risks.

Below are my notes summarising the report. I am focused on key lessons from this report and sharing my understanding on risk governance.

Don’t have time to read everything? Spend five minutes scanning whatever is red.

Background

AUSTRAC alleged Westpac Board for inadequate oversight in the statement of claim covering serious AML /CTF contraventions. As part of Westpac’s response and investigation into the AML/CTF non-compliance, Westpac conducted two separate reviews: (1) Advisory Panel Review on Board Governance of AML/CTF Obligations, and, (2) External independent review on management accountability assessment.

Both the reviews looked at Board governance and management practices in reference to AML/CTF compliance over 10 years. Westpac imposed remuneration consequences to 38 employees. The AML/CTF contraventions resulted in some significant leadership and governance changes: Westpac CEO resigned, Board Chairman brought forward his retirement and Chairman of Board Risk and Compliance Committee decided not to seek re-election to the Board.

Advisory Panel Report into Board Governance of AML/CTF Obligations:

Westpac appointed an advisory panel to review Board Governance of AML/CTF Obligations. The scope of their review was to answer below questions:

• Were the formal Board processes, including information flows, adequate to ensure informed oversight of compliance with the requirements of the AML/CTF Act?

• Whether the level of diligence exercised by Directors within these processes was appropriate?

Key Points from the Advisory Panel Report

Context

a. The report sets out the context with four trends in the last decade which could have been recognised by Westpac earlier in setting its approach for managing financial crimes risk. The four trends are:

1. Rapid technology changes in the banking industry which not only plays a major role as a growth and governance enabler, puts an upward cost pressure and also changes the risk profile of the Bank.

2. A decade of increased regulatory focus upon financial crimes evident by new regulations and high profile litigations in the US, UK and Europe.

3. Increasing expectations to meet “social license obligations” changing the “purpose” of the Bank from shareholders’ return maximisation to broader set of stakeholders including employees, community, customers, suppliers and regulators.

4. Increasing expectations about what boards can and should do evident by larger and growing statement of duties of a director which poses a challenge for non-executive directors – how to cover large scope of matters that have to be addressed.

b. Westpac has 10 non-executive directors and CEO as part of the Board. The Board is balanced with three directors having technology and transformation experience. The governance structure of the Board is mainstream and fit for purpose but has capacity issues.

c. Westpac follows 3 lines of defence risk governance structure but has accountability issues.

d. The report indirectly acknowledges the 2017 Commonwealth Bank’s AML non-compliance as a defining event and provides a comparison of the Board’s role before and after 2017.

Before 2017

a. The report noted shortcomings were evident in the monitoring of financial crime risk management and related controls particularly early in the years under review. Prior to 2017, the Board and management attention to financial crimes risk was less even though there were some warnings about the importance of the financial crimes risk management particularly from overseas.

b. While the Board was getting the information reports, there was a problem with the content of the information. There is absolutely no evidence that these errors / omissions were intentional. The simple fact is that management did not know and hence could not inform the Board until they did know.

c. There appears to have been no attempts to sugar-coat the assessments. Summary traffic light assessments moved between ‘amber’ and ‘red’ and never to ‘green’. The Bank’s own risk assessment was constantly rated ‘out of appetite’. While the matters were reported to be getting management attention, the long period of time that unacceptable risk appetite persisted is notable.

d. Problems around correspondent bank due diligence were noted by management along with remediation requirements as far back as 2011-12. Later on in 2019, AUSTRAC noted in the statement of claim that though Westpac conducted 47 correspondent banking assessments, these assessments had various shortcomings which mean Westpac didn’t comply with the law.

e. The AUSTRAC assessments in 2012 and 2016 recommended improvements.

f. While Internal Audit conducted reviews in 2011 and 2014 in relation to IFTI reporting compliance, and suggested improvements, there was no conclusion that the reporting of IFTIs was not compliant.

g. The improvements suggested by Internal Audit were not adequately followed up by the first line of defence nor did the third line appear to check whether or not this had been done.

h. Internally it was known that to meet compliance obligations in the financial crimes area, the IT systems and how they are used had to be fit for purpose. Significant resources had been invested in IT systems however the way systems were used may have contributed to ineffective regulatory reporting.

i. The extent of the issues became clear during 2017, when dealing with individual issues became wider task and it became clear that ‘band aid’ solutions were inadequate.

After 2017

a. A financial crime workshop and deep dive were held for all members of the Board Risk and Compliance Committee.

b. Westpac conducted an investigation in the institutional banking division which made the extent of the problems clearer.

Once the under-reporting of IFTI reported to AUSTRAC in 2018, the communications from the regulator made very clear their view of the seriousness of the issue and the fact that it had persisted so long. They flagged a concern about the control environment and began seeking more detailed information. At the same time the Chief Risk Officer noted in a memo to the Board that a key message from different regulators and reviews was that Westpac had been slow to act on certain long outstanding issues.

c. It is clear that the level of diligence applied by the Board to financial crimes risk management increased significantly around 2017.

d. A series of executive appointments, change in processes and reporting lines were approved.

e. Internal resourcing dedicated to financial crime (including financial crime operations) increased substantially, doubling to 750 people in past three years with a commitment to add 200 more people.

f. The Board approved developed a detailed plan and resolved to implement Part A program in 2018.

g. A Financial Crime Strategic Plan was approved by the Board in March 2019 after extensive work in 2018.

h. An IT system upgrade was planned to be delivered at a cost of $60 Million.

i. Management of non-financial risk was embedded in Westpac’s senior management remuneration scorecard.

Report Recommendations

a. While the incoming leadership of Westpac has quickly assumed ownership of AUSTRAC issues, the time it takes for implementation is a clear problem and the blurred accountability that results from management through committees is a recognised concern.

b. There are many strengths of matrix management model but end to end visibility and ownership of the processes is not one of them. This is a bigger risk for those processes which do not have a loud corporate voice and are characterised by non-financial KPIs which are not monitored daily as are financial metrics, customer statistics and like. Clear accountabilities must be developed and enforced.

c. Continued effort is needed to clarify the responsibilities within three lines of defence and make the model work. Each line of defence has a role and care should be taken that line one does not delegate its responsibility to line two.

d. There is a need to rebuild relationship with AUSTRAC.

e. Benchmarking with domestic competitors is useful but not sufficient.

f. Every board needs to periodically review its own processes as directors can be overwhelmed with detailed papers, meetings get longer and issues lose visibility given the number of agenda items and shifting priorities.

g. The way in which Board monitors their need to meet AML/CTF obligations should be reviewed. There are three types of monitoring required:

1. Monitoring the many financial crime risks facing Westpac,

2. Monitoring the risk management framework to ensure it remains appropriate and proportionate to those risks, and,

3. Monitoring the transactions and activities of customers.

h. The ‘traffic light scoring system’ for conforming to risk appetite is one monitoring tool used but deeper issues also need routine consideration and perhaps different types of reporting.

i. The Westpac Culture, Governance and Accountability Self-Assessment caused a large number of improvement initiatives to be undertaken from 2019 onwards. This work should be focused and accelerated with clear accountabilities for delivery, including a more pressing timetable.