Westpac’s technology stack has come under fresh scrutiny as a review into the bank’s enormous transaction monitoring failures over the past decade questioned whether the bank’s IT platforms are “best practice”.
The bank today released an advisory panel report [pdf] into the Westpac board’s oversight of financial crime obligations, as well as a brief letter from IBM subsidiary Promontory following its own commissioned review.
Westpac is accused of breaching anti-money laundering regulations 23 million times, mostly from not filing reports - called international funds transfer instructions or IFTIs - to AUSTRAC.
It was already known that the failure stemmed from poorly-implemented middleware between batch systems and monitoring software - and that the implementation works were beset by technical difficulties and staff cuts.
“Resource constraints in the relevant technology team impacted the successful implementation of the project,” Westpac confirmed in documents released today.
“In 2011/12, there was also a high turnover of staff where a whole team departed to join another organisation.
“The loss of continuity and specialist knowledge associated with these departures contributed to the implementation errors.”
The advisory panel report said that the “ignition event” for the breaches occurred in 2010.
“A relatively small IT project involving a software upgrade and complex plumbing to connect to other systems was not completed satisfactorily and resulted in regulatory reporting deficiencies, which the bank’s control and reconciliation processes failed to detect for some years,” it found.
The advisory panel said that - even now - there are still open questions “arising from this review is whether the Westpac technology platforms are best practice and what part they played in Westpac’s capacity to deal with AML/CTF [anti-money laundering and counter-terrorism financing] obligations”.
An alternative view offered by the review is that the bank’s problems stemmed from the way IT systems were used - rather than the systems themselves.
“Internally it was also known that to meet compliance obligations in the financial crime area an analysis of data relating to millions of transactions, customers, and correspondent banks was needed. This meant IT systems and how they are used had to be fit-for-purpose,” the advisory panel noted.
“We are told that significant resources had been invested in IT systems.
“However how these systems were used may have hampered data collection, forensic analysis and regulatory reporting.”
In support of this view, the advisory panel said that Westpac’s financial crime system, Detica, was the subject of a strategic program “initiated in 2015 to upgrade and migrate four separate parts of the Detica IT system into a single global platform.”
“The aim was to allow real time screening and establish a global transaction monitoring program,” it said.
“The upgrade was planned to be delivered over the period 2016-2021 at a cost of $60 million.”
Citing the advisory panel’s report, Westpac said in a statement that “the failure concerning IFTIs non-reporting occurred due to a mix of technology and human error dating back to 2009.”
Overall, the advisory panel painted a picture of a lack of experience in financial crime in the bank, a lack of awareness at international developments in the space, and a lack of information being communicated up to the board.
However, it said that none of this was intentional.
“Overall, this saga reveals that major sins were ones of omission and not of commission,” the advisory panel said.
“AUSTRAC’s allegations against the bank include matters that were unknown at the time to the bank’s leadership.
“The failings - such as non-reported IFTIs or inadequate due diligence on correspondent banks and particular customers - occurred deep in the organisation and it is not reasonable to expect that a board should find these out.
“The board relies on information flows from management and it was the content of those flows that was poor. Information was (unintentionally) misleading and sometimes omitted.”
.png&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
