From software glitch to a ticking time bomb for Westpac

Inside Westpac, it’s become known as the “ignition event” — a routine software upgrade in 2010 that went unknowingly but horribly wrong.

Richard Gluyas

3 min read

12:00AMJune 05, 2020.

Updated 6:42AMJune 05, 2020

Westpac and Austrac remain at loggerheads over an appropriate penalty. Picture: Hollie Adams

Inside Westpac, it’s become known as the “ignition event” — a routine software upgrade in 2010 that went unknowingly but horribly wrong, and set the bank on a $1bn collision course with Austrac.

The detail about the catastrophic event in Westpac’s board accountability report, released on Thursday, is sparse; in fact, if it wasn’t spotlighted as the ignition point by the Ziggy Switkowksi-chaired panel, you might gloss over it.

“A relatively small IT project involving a software upgrade and complex plumbing to connect to other systems was not completed satisfactorily and resulted in regulatory reporting deficiencies, which the bank’s control and reconciliation processes failed to detect for some years,” the report says.

In layman’s terms, someone in the bowels of Westpac forgot to flick a switch, which meant that international funds transfer instructions (IFTIs) for customers of two correspondent banks were not converted into Austrac data, as required by anti-money laundering and counter-terrorism financing laws.

By the time Westpac’s innocent IT glitch was detected and self-reported to Austrac in August 2018, it had morphed into an explosive device searching for Switkowski’s ignition event.

Austrac obliged last November, lodging a Federal Court statement of claim which alleged 23 million AML contraventions.

While Westpac has made a string of admissions, the parties remain at loggerheads over an appropriate penalty, with the bank already setting aside $900m.

Austrac chief executive Nicole Rose is tightening the screws, extending her hand for a minimum of $1.5bn.

IFTIs have acquired a sinister meaning given their association with AML contraventions by CBA in 2017, which cost the bank $700m, and now Westpac.

In Westpac’s case, an estimated 99.95 per cent or more of the now-recovered IFTIs overwhelmingly relate to legitimate and uncontroversial transactions involving government pension payments and the like.

But that’s not the point because they form a critical part of the nation’s AML infrastructure, and a large number of IFTIs were either not reported at all, were missing required details, and in some cases provided no details at all within the required time.

Horrifyingly for Westpac, a select group of IFTIs suggested 12 of the bank’s customers might be linked to child exploitation in Asia.

“There was genuine and widespread dismay over the child exploitation allegations,” the panel report says.

Directors became aware on November 19, 2019 that the IT glitch-turned-explosive-device was about to detonate when Rose telephoned then-Westpac chief executive Brian Hartzer, informing him that proceedings would be lodged the next day.

Worryingly for Westpac, the panel found that the board’s knowledge of the Austrac issues “varied”.

Only two months before the statement of claim was lodged, the bank received a notice from Austrac about its use of typologies to detect child sexual exploitation.

Until that point, Westpac had no knowledge of Austrac’s concern about child sexual exploitation, according to the panel.

When the new line of inquiry was brought to the attention of the risk committee just before its meeting on October 31, 2019, it was the first time the board had heard that Austrac was concerned about a lack of updated transaction monitoring to detect possible child exploitation.

The Switkowski panel also found that the risk committee often failed to get information in a timely manner, which prevented it from taking appropriate action.

“For some years, the board had been regularly informed that the working relationship with AUSTRAC was good,” the report says.

“The minutes and material in various meetings over the period covering 2013-19 are full of descriptions of problems being addressed, but also talked of a constructive working relationship with Austrac.

“This may have contributed to a sense, at both board and senior management levels, that despite the problems, issues were being adequately addressed and that the regulator was content with the progress being made.”

Once the under-reporting of the IFTIs was reported to Austrac in 2018, the regulator made it “very clear” to Westpac how seriously it viewed the issue, and how it had persisted for too long.

The agency also flagged its concern about the control environment and began seeking more detailed information.

In November 2019, Westpac’s chief risk officer noted in a memo to the board that a key message from different regulators was that Westpac had been slow to act on certain longstanding issues.

There was nothing the bank could do about it.

The fuse had been lit and the inevitable explosion would follow.