Like the butterfly effect, where a tiny change somewhere can have a dramatic impact sometime later, Westpac’s AUSTRAC scandal can be sheeted home to a glitch in a piece of software code written nine years ago.
This week, the little bug became a time bomb, exploding with devastating force in the form of AUSTRAC’s shocking statement of claim.
The genesis of the IT problem was the passing of the Anti-Money Laundering and Counter-Terrorism Financing Act in 2006. This ordered banks to overhaul the way they reported transactions to AUSTRAC by 2010.
One of the new requirements was to report to AUSTRAC every “international funds transfer instruction” (IFTI) received from a foreign bank sending money into Australia.
The huge volume of inbound money coming into a big bank such as Westpac meant building an automated system to feed the transaction data to AUSTRAC was crucial. So Westpac’s software teams, under the leadership of the then chief information officer Bob McKinnon, got to work.
Their job was to create a “converter” program. This took the data contained in incoming IFTIs sent from the foreign bank, converted it into the form required by AUSTRAC, and then sent a report containing the data to the financial intelligence agency.
For most of Westpac’s corresponding banks, the system worked smoothly. But for a few, the conversion process failed and the automatic report was not generated. It appears the converter software was not configured for these particular banks.
Worryingly for Westpac, the glitch wasn’t picked up until July last year, after the bank did a deep dive into all its AUSTRAC processes after the action against Commonwealth Bank.
It appears that internal audit teams over the years failed to reconcile the total number of IFTIs being received from all of Westpac’s corresponding banks with all of the reports being sent into AUSTRAC. If this reconciliation had been conducted, Westpac might have realised it was 19.5 million reports short.
Westpac chief executive Brian Hartzer explained during a call on Wednesday afternoon that the new anti-money laundering legislation had created “a very large program of work that had increases or improvements in various processes and controls”.
He said “the IFTI product within that was viewed at the time, as I understand it, as a relatively small portion of that program”.
The failure to identify the problem until last July was also a function of turnover in the IT team. “There were a bunch of people who left the company from the product area that was overseeing that,” Hartzer explained.
“So we had the confluence of a program of work that was not well managed from a project point of view – or from a technical point of view – compounded with a change in personnel. [This] meant they didn’t quite understand what they had inherited and that this problem existed.
“There was then a subsequent audit that happened a couple of years later which did not identify this gap. And so, unfortunately, it was allowed to persist over a period of time.”
The ramifications of the seemingly innocuous failure to properly configure the converter became clear this week, when AUSTRAC said Westpac had received 19,427,710 IFTI reports over five years from four corresponding banks that were not reported to the regulator. This accounted for the majority of the 23 million breaches exposing the bank to a fine that could be more than $1 billion.
Westpac has also been caught up by a second software problem, introduced six years later in 2016. This relates to its LitePay product, which was launched that year and used by some paedophiles to send money to the Philippines to access child pornography.
While Westpac did monitor LitePay transactions, AUSTRAC says it failed to apply an additional filter – an extra piece of software code to run over transactions – that would have helped it identify “child exploitation typology”.
At Westpac, all staff are required to do compulsory anti-money laundering training, teaching bankers about the principles of monitoring financial crime. But deploying technology to ensure those principles are put into practice appears to have tripped the bank up.
“The systems weren’t able to keep up with the times,” a former Westpac banker said on Thursday.