Westpac has announced it will invest AU$25 million to improve cross-border and cross-industry data sharing and analysis as one of the "immediate fixes" as part of its response plan, following issues raised by the Australian Transaction Reports and Analysis Centre (Austrac).
The anti-money laundering and terrorism financing regulator applied to the Federal Court of Australia alleging Westpac was involved in "systemic non-compliance" with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) on over 23 million occasions.
Specifically, Austrac said the bank had consistently failed to assess and monitor ongoing money laundering and terrorism financing risks; report over 19.5 million International Funds Transfer Instructions (IFTIs) to Austrac over nearly five years for transfers both into and out of Australia; pass on information about the source of funds to other banks in the transfer chain; keep records relating to the origin of some of these international funds transfers; and carry out appropriate customer due diligence on transactions in the Philippines and South East Asia that were related to potential child exploitation risks.
In explaining Westpac's response plan, chairman Lindsay Maxsted expressed his "deep sorrow" for the bank's failings uncovered by Austrac.
"We are determined to urgently fix these issues and lift our standards to ensure our anti-money laundering and other financial crime processes are industry leading. As a major bank we play a critical role in helping law enforcement agencies prevent criminals from carrying out illegal activity," he said in a statement.
See also: Why Westpac is making 'frenemies' with fintechs (TechRepublic)
According to the bank, the investment will dedicate the funds to improve the bank's cross-border and cross-industry data sharing and analysis, which it said will "better support regulators and authorities to fight financial crime".
It added that it will also seek to partner with industry, technology, telecommunication, and government partners.
Improving its cross-industry standards is one of five immediate actions that Westpac outlined it will take.
The others include flagging transactions that suggest potential child exploitation in high risk locations; establishing a dedicated Board of Financial Crime sub-committee to oversee the implementation of its financial crime program; commission an external expert to independently review Westpac's program and report back; and see the financial crime function reports directly to the chief risk officer.
Other future actions Westpac said it will take included provide AU$18 million over three years to the International Justice Mission to help tackle online child exploitation in the Philippines; invest AU$6 million over six years to raise awareness about online child exploitation in the Philippines; and provide funding of up to AU$10 million per year for three years to implement recommendations that will be provided by industry experts to support the prevention of online child exploitation.
The bank also said it was withholding short term bonuses to its entire executive team and several members of the general management team.
Last October, Westpac announced it introduced a risk management system known as Juno, 18 months prior to effectively track compliance issues right across the bank.
According to CEO Brian Hartzer, Juno allows Westpac to log all of its incident-related data, even if it's just a suspicion that it might be an issue.
"Historically the management of compliance incidents and the like was dispersed into different business units. While people would report them up and they would get aggregated and shown at various risk committees, it is true that they sat in different systems," Hartzer told the House of Representatives Standing Committee on Economics.
He explained that issues of any sort across the bank go into that system and get reviewed regularly.
A report from the Australian Securities and Investments Commission (ASIC) last year revealed how there is an "unacceptable" delay in financial institutions reporting a "significant" breach.
The report [PDF] found that Westpac, in addition to the Commonwealth Bank of Australia (CBA), the National Australia Bank (NAB), and ANZ bank took an average of 150 days to investigate and lodge a breach report to ASIC.
Under the law, all financial institutions are required to have a process that effectively identify breaches and then reports significant breaches to ASIC within 10 business days of becoming aware of them. Failure to do so is a criminal offence.
In 2017, CBA had found itself in similar hot waters after Austrac claimed that the bank was involved in "serious and systemic non-compliance" with the AML/CTF Act.