Westpac has entered into a court enforceable undertaking with the Australian Prudential Regulation Authority (APRA), promising to bolster efforts to fix its risk governance failings after the regulator found the bank wasn’t moving fast enough.
The undertaking comes after APRA raised concerns at the bank's progress in remediating weaknesses including an "immature and reactive risk culture, unclear accountabilities, capability shortfalls, and inadequate oversight".
APRA’s concerns stem from the findings of a risk governance review into Westpac in response to anti-money laundering breaches that cost the bank $1.3 billion in penalties.
The breaches stemmed from a failure by Westpac to implement automated transaction monitoring systems for money coming in and out of Australia, resulting in 23 million contraventions of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.
The transaction monitoring failures were attributed by a prior review to poorly-implemented middleware between batch systems and monitoring software, an implementation works beset by technical difficulties and staff cuts.
An advisory panel report into the Westpac board’s oversight of financial crime obligations that was released in June put fresh scrutiny on Westpac’s technology stack, questioning whether the bank’s IT platforms were “best practice”.
Despite almost two years of remediation, APRA said Westpac had failed to deliver expected risk governance improvements.
As part of the undertaking, Westpac has 90 days to submit an integrated remediation plan to APRA that incorporates all its major risk governance remediation programs, covering both financial and non-financial risks.
The bank must also appoint an independent reviewer, who will report to APRA each quarter on the effectiveness of the integrated plan.
Westpac will also assign accountabilities for delivery of the plan to named executives and board members and incorporate outcomes into remuneration decisions.
Westpac Group CEO Peter King said the bank was determined to deliver on its risk remediation activities.
“My top priority is to ensure the bank’s risk culture and management of risk meet the high standards expected of us,” King said.
“We have had constructive discussions with APRA and know we have to deliver a disciplined step change in our management of financial and non-financial risk.
“While we have made progress in improving our standards, we have much more work to do, and this must be done at pace.”
