by Nathan Lynch, Regulatory Intelligence | Expert Analysis
In March 2018, at a discreet hotel in Sydney, two dozen senior representatives from the financial intelligence community gathered around a diplomatically square boardroom table.
There was no head, no sides, no nosebleed section, just a group of equals coming together with a shared vision and a common goal. They had been invited to the bi-annual roundtable discussion on the Fintel Alliance, the world’s first genuinely co-located public-private financial intelligence partnership dedicated to fighting serious and organised financial crime.
It was a triumphant meeting, celebrating the successes of the alliance in its first 12 months of operation. The project had broken new ground by allowing bank staff, payments companies, law enforcement agencies and criminal intelligence experts to sit in the same room and work together on top-priority projects.
Some of the early wins demonstrated what a powerful “Triple P” model this could become. No other country had gone as far as swearing in bankers as public servants and inviting them to sit beside law enforcement counterparts to discuss matters of national importance — and secrecy — for criminal intelligence. In its first year the project team had been focusing on detecting and disrupting money muling syndicates, analysing the Panama Papers and mining data from the Australian Cyber Online Reporting Network.
The biggest victory, however, had been a very human story. The alliance’s most inspiring and successful work had been to use financial typologies, transaction monitoring, data and analytics to make unprecedented inroads into the detection of child exploitation payments. This had allowed banks and payment companies to file a raft of suspicious matter reports (SMRs) on the horrific “pay per view” streaming of child sexual abuse, notably in vulnerable regions in the Philippines.
The discussion was full of optimism for the future of “fintel” partnerships, not just in Australia but globally. The members had identified patterns of behaviour indicative of child exploitation. This included small, regular payments of between $15 and $500 disguised as things like “school fees” or “uniforms” in the payment narrative; purchases of live streaming software and VPNs, or metadata stripping programs; travel to countries such as the Philippines; and the use of payment cards in high-risk areas.
In isolation, none of these would be inherently suspicious. But when aggregated and overlaid with other law enforcement data sets, the banks and payment companies had a game-changing tool at their disposal. In the 2018 financial year police had made more than 30 arrests on the back of this information. A year later, that number would continue to rise with 73 suspects detained or arrested. Even better, 35 children had been rescued from abusive situations with the help of financial intelligence.
What the participants could never have known, however, was that one of the Fintel Alliance’s founding members was bluffing. It had not done the work to detect and disrupt this heinous crime typology. It had not invested in the technology it needed to run sophisticated transaction monitoring across its cross-border payments. In fact, at that stage, even the bank itself had no idea it was facilitating tens of thousands of suspicious payments for at least 284 potential paedophiles.
Welcome to the darkest corner of the world of dirty money.
The darkest side of money laundering
In November last year, Westpac Banking Corporation’s edifice of good governance and top-tier financial crime threat mitigation came crumbling down. The Australian Transaction Reports and Analysis Centre (AUSTRAC) levelled a civil claim against the bank alleging systemic breakdowns in its financial crime program, systems and controls.
The financial crime intelligence agency alleged Westpac had failed to report more than 23 million transactions, including millions of complex International Funds Transfer Instruction (IFTI) reports. AUSTRAC also alleged that Westpac had failed in its obligation to detect 12 customers who had been making payments for “CEM” — child exploitation material — in the Philippines.
The latter claim was galling for the many committed people who worked in the bank’s financial crime unit. It was also galling for the many small remitters who had been “de-risked” by Westpac in 2014 on the basis that it lacked a risk appetite for that line of business. Those small players had long alleged that Westpac drove them out of business, only to launch its own competing low-cost service. That competing service was the now-notorious LitePay channel, which Westpac closed immediately when the AUSTRAC allegations came to light.
Back in 2014 a group of remitters had even developed a solution, at their own cost, to report end-to-end payment data to Westpac in return for keeping their businesses alive. They argued that they knew their customers directly and could screen all transactions against data such as the criminal, adverse media and “politically exposed person” watchlists. Westpac declined, and closed their accounts, driving many of these businesses into closure.
Within a year of these discussions taking place, Westpac had launched LitePay.
As one remittance industry source told Thomson Reuters: “Everything we feared was absolutely true. When I saw LitePay in the headlines for facilitating child exploitation, I nearly fell over. We knew our customers, we knew why they were moving money, and we were happy to report any suspicious activity to Westpac. We were their best defence against getting caught up in this.”
Westpac said in a market announcement on Friday, June 12, that it had already “admitted to a substantial majority of the contraventions alleged by AUSTRAC”.
Ever since the claim was lodged in November, the bank has continued to review its internal failures. It has conducted several major reviews, including a mammoth “lookback” program. This year alone, Westpac will add another 200 financial crime compliance staff. The bank is effectively paying a premium now for any savings it made in cutting compliance controls in the past. It is also paying an enormous reputational cost.
As a result of this gargantuan remediation project, Westpac has reported to AUSTRAC an additional 60,000 to 90,000 threshold reporting failures. These additional failures alone exceed the number of breaches in the A$700 million Commonwealth Bank AML/CTF litigation.
In December 2019, as part of the lookback process, Westpac had also filed some particularly heinous suspicious matter reports (SMRs) in relation to potential child exploitation.
The financial crime agency was unimpressed by their late arrival, in some cases years after the offences took place. AUSTRAC’s chief executive, Nicole Rose, had made it clear to the industry that combating child exploitation offences would be a top priority under her leadership.
In a terse media release, Westpac acknowledged on Friday that the financial crime agency was now on the warpath.
“Westpac has now been informed by AUSTRAC that it is further investigating these matters and has notified Westpac it may amend its statement of claim to include allegations arising from these investigations,” the bank said.
“AUSTRAC has requested further information from Westpac on these matters, including in relation to the TTR issues and 272 customers, many of which were the subject of SMRs previously filed as part of the lookback. Further updates on this matter will be provided as required.”
There is now a very strong possibility that AUSTRAC’s legal team will be burning the midnight oil, ready to lodge a revised statement of claim in the Federal Court. This may even be ready as early as the next case management hearing on Wednesday, June 17, such is the abhorrence that staff at the agency feel towards these types of predicate offences.
The new revelations from Westpac are devastating on every level, including for the bank staff who work hard every day to combat serious financial crimes. These dedicated financial crime teams have big wins every week, behind the scenes, alongside their partners at AUSTRAC and other Commonwealth government agencies.
But these crack financial crime experts are reliant on their colleagues in the business units to be truly successfully. They need full management and board support to win the battle against Australia’s A$36 billion financial crime problem, as all of the major AUSTRAC enforcement cases have shown.
The 284 customers at the heart of the Westpac child exploitation allegations were a top priority for the Fintel Alliance and law enforcement agencies. By mid-2019, just two years after its inception, the alliance had made huge strides in disrupting the financing of child exploitation.
The alliance’s first priority was listed as “protecting the most vulnerable from child exploitation”. The group’s intelligence reports had saved 35 victims from sexual slavery. A total of 73 suspected offenders had been either arrested or detained — 85% of which were due directly to 25 “intelligence products” from the Fintel Alliance.
As it turns out, however, Westpac was failing to fulfil its promises to the partnership. The detections could have been much higher, had Westpac been embedding the alliance’s knowledge and tool sets in its own systems and controls.
From AUSTRAC’s perspective, this is not financial intelligence that would have languished in a large database waiting for a law enforcement agency to pick up the case. Child exploitation was a top priority and would have been acted upon immediately by the Australian Federal Police (AFP). All of the major banks knew this during the period in question through their involvement in the alliance and through direct engagement with AUSTRAC and its partners.
This multi-agency work is dependent, however, on banks running transaction monitoring and other AML/CTF controls across their client base.
In view of this, AUSTRAC’s revised claim will doubtless argue that Westpac’s failure to run transaction monitoring and other controls on cross-border payments led to the loss of actionable intelligence. Law enforcement and criminal intelligence agencies have taken the view already that this failure placed children directly at risk of harm.
Based on similar cases that police have investigated in the past, Westpac’s failures could involve tens of thousands of individual transactions. Bank sources say this problem was not restricted to the problematic LitePay channel, which was highlighted in the statement of claim. It cuts across many cross-border payment channels, all of which had systemic problems with their transaction monitoring programs.
In fact, Westpac made a decision to save money by running transaction monitoring only on its cheapest remittance service. The internal justification was a flawed assumption that paedophiles would be “price sensitive” and would migrate to the cheaper, monitored channel. As the subsequent lookback exercise shows, this theory was deeply flawed.
Instead, Westpac became a honeypot for child exploitation payments, as the other banks used AUSTRAC’s typologies, reported their intelligence, and closed the suspect accounts. The case is yet another devastating reminder that any bank that lags its peers in financial crime compliance will become an unwitting magnet for all the worst types of customers.
This week, as the latest revelations sink in and the parties prepare to meet in court, Westpac looks a lot like a banking pariah. As the financial crime picture within the bank becomes clearer, the 12 customers at the centre of the child exploitation payments no longer look like outliers. These are systemic control failures across the bank’s international payment channels.
The Westpac case is a stark reminder for bank boards and executives about the importance of a strong financial crime function and the need to understand a bank’s activities from top to bottom. The big lesson is to resource the financial crime function appropriately. A strong financial crime function is not a “nice-to-have” function; it is a legal obligation and a fundamental part of running a bank.
Likewise, Australian bank executives who make decisions to save mere millions on financial crime controls, while their organisations report multiple billions each year in profits, should expect to face the full wrath of customers, politicians and investors. In 2018, when these fateful decisions were made, Westpac reported an operating profit of A$8.07 billion. It was Australia’s oldest and second most profitable financial institution. Senior executives earned significant bonuses during this period, yet only A$20.1 million has been clawed back from 38 individuals to help shareholders pay the upcoming billion-dollar-plus AUSTRAC penalty.
The bank’s senior executives should now expect to face the full extent of any individual accountability that is available under the law. The Australian Securities and Investments Commission (ASIC) is already well advanced in Project Chiltern, its proposed case against some of the Commonwealth Bank (CBA) senior executives for similar failures. This includes looking at whether the bank’s most senior staff and directors met their obligations of “care and diligence” in relation to systemic breakdowns in AML/CTF controls.
The investigation into CBA is looking at possible breaches of Section 180 of the Corporations Act 2001. If ASIC pursues this line in court, it will be a critical test case for the “care and diligence” obligations on directors.
Given the seriousness of the Westpac allegations, it is highly likely that a similar project has already been launched against Westpac.
Time waits for no manager
This case offers another significant lesson, which is to fix problems as soon as they emerge. As large and complex organisations, banks make mistakes. When they make an error, it inevitably has a large-scale impact.
Likewise, the AML/CTF regime is not a “zero failure” framework (unlike, for example, the sanctions regime). Some requirements are fundamental, such as conducting a risk assessment, having an appropriate AML/CTF program and conducting transaction monitoring. But reporting entities can take a proportionate, risk-based approach to tackling financial crime. The regime’s obligations are scalable and ramp up in concert with the risks.
When banks do uncover failures they must demonstrate to the regulator, through their actions, that they treat AML/CTF compliance as a top organisational priority. Banks and other AML/CTF reporting entities are engaged with AUSTRAC in this process of dialogue and collaborative improvement all the time.
In keeping with this “partnership” approach, banks should also keep the regulator informed on progress throughout any remediation processes. National Australia Bank (NAB) has succeeded in adopting this approach, as it works through a raft of compliance failures with the financial crime agency. It has made changes in key roles, trained staff, invested in compliance and is getting its relationship with AUSTRAC back on track — as key allies and partners in the fight against financial crime.
As this banking morality play rolls on, the fortunes of NAB and Westpac could not be heading further apart.