The Australian Prudential Regulation Authority (APRA) has closed its investigation into possible breaches of the Banking Act 1959, including the Banking Executive Accountability Regime (BEAR), by Westpac Banking Corporation (Westpac).
APRA commenced the investigation in December 2019 to examine prudential concerns arising from allegations by AUSTRAC that Westpac had breached anti-money laundering and counter-terrorism laws. APRA’s investigation also examined the bank’s actions to rectify and remediate the issues after they were identified.
In June last year, APRA delegated certain enforcement powers under the Banking Act to the Australian Securities and Investments Commission (ASIC), which was conducting its own investigation into whether the conduct giving rise to the allegations amounted to contraventions of the Corporations Act 2001 (Corporations Act). The delegation was done to avoid both agencies separately investigating and potentially litigating related matters.
Having carefully considered the results of ASIC’s investigation, APRA has determined to close its investigation. Westpac remains subject to a court enforceable undertaking (CEU) to implement an integrated risk governance remediation plan to uplift risk governance across its business with ongoing independent review over its progress. The $1 billion operational risk capital add-on, which reflects the bank’s heightened operational risk profile, will also remain in place until Westpac completes its remediation under the CEU to APRA’s satisfaction.
APRA Deputy Chair John Lonsdale said: “Although the investigation has not found evidence of breaches of the Banking Act or the BEAR, APRA remains determined to ensure Westpac rectifies its risk governance weaknesses effectively and sustainably.
“Under the enforceable undertaking, Westpac has clearly defined Executive and Board accountabilities for the implementation of its integrated risk governance remediation plan. APRA will be holding Westpac to account for the delivery of the required improvements,” Mr Lonsdale said.
Westpac has agreed to pay the largest fine in Australian corporate history — a $1.3 billion civil penalty for more than 23 million breaches of anti-money laundering laws.
But what exactly did it do wrong and how does the penalty stack up?
What are the laws Westpac broke?
To help police and security agencies stop international crime and terrorism the Federal Government passed the Anti-Money Laundering and Counter-Terrorism Financing Act (2006).
This law places many requirements on financial institutions and other key groups that handle large or cross-border money movements to report certain transactions.
According to the Federal Government's Department of Home Affairs, the five major requirements are for organisations to:
- Register with the regulator if they are captured by the laws
- Set up and maintain adequate systems to monitor for money laundering and terrorism financing risks
- Know their customers by verifying their identity
- Report any suspicious transactions to the regulator within specified time periods
- Keep appropriate records of transactions
AUSTRAC — the Australian Transaction Reports and Analysis Centre — is the Government agency charged with enforcing those requirements and analysing the information submitted to detect possible criminal or terrorism activity.
How did the bank break the law?
The biggest breach was Westpac's failure to properly report more than 19.5 million instructions to transfer money overseas or bring foreign funds into Australia, totalling more than $11 billion.
Financial institutions are required to submit a report to AUSTRAC within 10 days of an instruction to make an international transfer.
In many cases, Westpac also failed to pass on information about the origin of these transfers, or the source of funds to other banks involved in the transactions.
It also failed to keep records about where the money came from in some cases.
Westpac has also admitted it failed to properly assess and monitor the risks associated with some of these foreign transfers, some of which were with banks in "higher risk jurisdictions" including Iraq, Lebanon, Ukraine, Zimbabwe and Democratic Republic of Congo.
The bank also failed to make adequate checks on some customers who were sending regular payments overseas, and also failed to pick up on payment patterns typical of child exploitation activities, despite repeated warnings from AUSTRAC for banks to do this.