A Hybrid Software & Advisory Service

A BSA/AML risk assessment is the foundation of a bank’s AML/CFT compliance framework.  To avoid penalties and harm to reputation, banks need to use a reliable risk model.   

This report highlights the consequences of a bank failing to operate  with an adequate AML risk assessment.

By using AML360’s regulatory technology, banks can immediately move from a non-compliant  assessment to a compliant status. 

To find out more, click here.


AML Risk Assessments

Author – Ballard Spahr LLP


Westpac Banking Corporation (“Westpac”), Australia’s second largest retail bank, has been besieged by serious allegations of violating Australia’s Anti-Money Laundering (“AML”) and Counter-Terrorism Financing (“CTF”) Act. Just as Westpac was attempting to put some of these problems behind it, new potential AML/CTF problems have come to light.

In this post, we discuss what to expect for Westpac going forward, and the potential broadening of Australian regulator’s investigation into Westpac – a recent revelation quickly coming on the heels of Westpac’s public release on June 4 of the findings by the bank’s own internal investigation report into allegations that systemic compliance failures resulted in Westpac committing over 23 million breaches of Australia’s AML/CTF laws, pertaining in part to financial transactions involving alleged child exploitation. We previously have blogged on these alleged breaches (and the Statement of Claim brought by AUSTRAC, Australia’s AML/CTF regulator, stemming from those breaches), as well as on the private securities suits that followed these serious revelations.

The headline finding in the internal investigation report — which has been criticized — was its conclusion that the significant AML/CTF violations and failures it admitted were “due to technology failings and human error,” and that “[t]here was no evidence of intentional wrongdoing.” Consistent with a theme that emerges in many AML scandals, the lack of adequate and sufficiently trained personnel has been a key factor here.  Likewise, the Westpac internal investigation report also underscores the limits of automated AML/CFT systems.  Ultimately, any AML/CFT program is only as good as the people running it.


Westpac’s alleged widespread AML/CTF failures came to public light when AUSTRAC filed a Statement of Claims against Westpac in November 2019. The Statement of Claims focused on Westpac’s correspondent banking relationships with financial institutions in other countries and how it processed transactions for these banks; it also highlighted various ways Westpac’s AML/CTF policies dramatically failed. Among those failures, AUSTRAC alleged Westpac failed: (i) to report approximately 20 million international funds transfer instructions (“IFTIs”) initiated by foreign institutions as required by AUSTRAC regulations; (ii) to conduct proper due diligence on customers bearing indications of child exploitation; and (iii) to conduct proper due diligence on its correspondent banks to ensure they maintained proper and adequate AML/CTF controls.


On June 12, 2020, reports began to emerge that AUSTRAC intends to expand its probe into Westpac’s failure to properly conduct due diligence on customers and transactions potentially linked to child exploitation. According to some reports, that probe could increase the number of alleged AML/CTF breaches by over twenty times.

The Internal Investigation

Just before these recent reports, and in response to the Statement of Claims, Westpac launched an internal investigation to evaluate AUSTRAC’s previous allegations, identify cause(s) of any compliance failures and develop remedies for compliance going forward. The results of that investigation were released publicly on June 4 (the “Report”)

The AML/CTF Failures

The Report noted that Westpac filed a defense to AUSTRAC claims in May 2020 in which it admitted “a substantial majority of the contraventions alleged by AUSTRAC.” Those admissions included “the non-reporting of IFTIs and associated tracing information failures”; “record keeping failures”; “congoing customer due diligence failures” and “failures regarding certain correspondent banking obligations.” The Report went on to delve deeper into those failures.

IFTI Non-Reporting

The Report acknowledges Westpac’s obligation to report to AUSTRAC all IFTIs that it receives or sends. Recognizing its failure to report approximately 19.5 million IFTIs to AUSTRAC over a six-year period, the Report states that “Westpac intended to comply with its IFTI reporting obligations, but due to technology failings and human error” those 19.5 million IFTs were not reported. The Report explained that the majority of non-reported IFTIs were received by Westpac through one product and were from two global correspondent banks.  They also tended to be for low value recurring payments by foreign government pension funds and corporations, “which had a low risk profile.” The Report continued to explain that the non-reporting of “the large majority” of non-reported IFTIs stemmed from the implementation of a new reporting program in 2009 and a high turnover of staff.

Customer Due Diligence

The Report acknowledged that Westpac “did not monitor the 12 customers sufficiently to identify, mitigate and manage the risk they may engage in behaviours consistent with child exploitation risk.” It explains “Westpac did not keep a formal register to capture relevant AUSTRAC guidance and did not have a robust enough process to ensure that it addressed and took action in relation to all AUSTRAC guidance.” It further acknowledged Westpac’s failure to implement “more robust monitoring of their transactions for certain types of behaviours earlier than it did.”

The Cause of the AML/CTF Failures

The headline finding in the Report was its conclusion that the significant AML/CTF violations and failures it admitted were “due to technology failings and human error,” and “[t]here was no evidence of intentional wrongdoing.” More specifically, investigators concluded that AML/CTF obligations were not clearly and consistently communicated and understood through key parts of the bank. Nor did Westpac make clear to relevant employees what their AML/CTF obligations were and where they ended. Thus, “end-to-end accountability was not always clear.” Finally, investigators attributed the failures to good old-fashioned lack of resources, explaining that Westpac “did not have enough employees with sufficient skills, expertise and experience to effectively manage AML/CTF risk.”


The Report announced Westpac’s implementation of “an extensive program of remediation and investment to address the issues and areas of compliance failure identified through its investigation.” Referring to “lifting the focus on Westpac’s AML/CTF obligations,” the Report announces a board-level committee responsible for overseeing, among other related areas, AML/CTF compliance, in addition to the appointment of a Group Executive, Financial Crime, Compliance and Conduct, who reports directly to the CEO.

The Report also announces efforts to mark clear responsibilities and objectives for AML/CTF professionals, including the elevation of the money-laundering reporting office to a new General Manager position responsible for administering and managing AUSTRAC regulatory engagements and actions and overseeing an expanded roster of AML/CTF professionals.

Beyond personnel changes, the Report announced changes to Westpac’s compliance processes. Those changes include new risk assessment methodology, revised reporting standards and processes, enhanced monitoring and new control testing capabilities.

Having identified “a number of shortcomings in the way Westpac managed non-financial risk,” Westpac also will reassess its Culture, Governance and Accountability self-assessments “to ensure that any relevant lessons from the AUSTRAC matter and other recent developments since the 2018 Self-Assessment are taken into account and addressed.”

The Report also discussed management responsibility. Although it emphasized that “the issues did not arise from intentional wrong-doing or misconduct at any level, the fact remains that compliance failures within Westpac’s Financial Crime program occurred and it was therefore appropriate that consequences be applied.” Those consequences included “remuneration consequences” such as withholding $13.2 million in 2019 “short term variable reward” bonuses and eliminating such rewards for the CEO and other Group Executives.

Next Steps

The Report makes clear that it was intended to mark the end of Westpac’s historical analysis of its AML/CTF failures while recognizing that the book on those failures has not been closed. It acknowledges that the AUSTRAC case will continue and promises that Westpac will “seek to resolve the matter if possible and, if not, to ensure the minimum number of issues remain to be determined by the Court.”

Of course, Westpac closed its investigation prior to AUSTRAC’s recent announcement of its own potentially expanded investigation. Westpac certainly will have to respond should AUSTRAC uncover more breaches. Moreover, the civil securities suits are proceeding and are certain to pick apart the Report and both seize on and challenge its conclusions. This was likely to occur even prior to the announcement of a potentially expanded AUSTRAC investigation. Now, not only may we see challenges to the conclusions in the Report, but we will likely see significant questions concerning its thoroughness. The Westpac story shows no signs of coming to a close.


BSA AML risk assessment
BSA/AML Risk Assessments