Peter Oakes, fintech and financial crime expert talks to Gabriel Vedrenne of ACAMS MoneyLaundering.com about European financial institutions that switched to onboarding all new clients remotely at the height of COVID-19 lockdowns should review their customer files to ensure that adequate due diligence was conducted as per the European anti-money laundering standard setter warned.
​
​CLICK HERE

Source: AUSTRAC
Press Release 24 September 2020

Westpac and AUSTRAC have today agreed to a AUD$1.3 billion dollar proposed penalty over Westpac’s breaches of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). Westpac and AUSTRAC have agreed that the proposed penalty reflects the seriousness and magnitude of compliance failings by Westpac.

The Federal Court of Australia will now consider the proposed settlement and penalty. If the Federal Court determines the proposed penalty is appropriate, the penalty order made will represent the largest ever civil penalty in Australian history. 

In reaching today’s agreement, Westpac has admitted to contravening the AML/CTF Act on over 23 million occasions, exposing Australia’s financial system to criminal exploitation.
In summary, Westpac admitted that it failed to:

• Properly report over 19.5 million International Funds Transfer Instructions (IFTIs) amounting to over $11 billion dollars to AUSTRAC.
• Pass on information relating to the origin of some of these international funds transfers, and to pass on information about the source of funds to other banks in the transfer chain, which these banks needed to manage their own ML/TF risks.
• Keep records relating to the origin of some of these international funds transfers.
• Appropriately assess and monitor the risks associated with the movement of money into and out of Australia through its correspondent banking relationships, including with known higher risk jurisdictions.
• Carry out appropriate customer due diligence in relation to suspicious transactions associated with possible child exploitation.

In reaching the agreement, Westpac has also admitted to approximately 76,000 additional contraventions which expand the original statement of claim. These new contraventions relate to information that came to light after the civil penalty action was launched last year and relate to additional IFTI reporting failures, failures to reasonably monitor customers for transactions related to possible child exploitation, and two further failures to assess the money laundering and terrorism financing risks associated with correspondent banking relationships.

AUSTRAC’s Chief Executive Officer, Nicole Rose PSM said the settlement sends a strong message to industry that AUSTRAC will take action to ensure our financial system remains strong so it cannot be exploited by criminals.

“Our role is to harden the financial system against serious crime and terrorism financing and this penalty reflects the serious and systemic nature of Westpac’s non-compliance,” Ms Rose said.
“Westpac’s failure to implement effective transaction monitoring programs, and its failure to submit IFTI reports to AUSTRAC and apply enhanced customer due diligence in relation to suspicious transactions, meant AUSTRAC and law enforcement were missing critical intelligence to support police investigations.”

Ms Rose said such a large number of breaches over several years was unacceptable and could have been avoided with better assurance and oversight processes to identify ongoing reporting failures.
AUSTRAC works in partnership with the businesses we regulate through a comprehensive industry education program.

“We have been, and will continue to work collaboratively with Westpac and all businesses we regulate to support them to meet their compliance and reporting obligations to ensure this doesn’t happen again in the future.”

Westpac continues to partner with AUSTRAC to assist AUSTRAC and law enforcement agencies to stop financial crime, including as a member of AUSTRAC’s private-public partnership the Fintel Alliance.

About AUSTRACAUSTRAC (the Australian Transaction Reports and Analysis Centre) is the Australian Government agency responsible for detecting, deterring and disrupting criminal abuse of the financial system to protect the community from serious and organised crime.

Through strong regulation, and enhanced intelligence capabilities, AUSTRAC collects and analyses financial reports and information to generate financial intelligence.
​
Learn more about AUSTRAC: https://www.austrac.gov.au/about-us/austrac-overview 
Media contactEmail: [email protected] 
Phone: (02) 9950 0488  

Not long after the European Union’s top court ordered Ireland on 16 July 2020 to pay a lump sum of €2 million to the European Commission for Ireland's failure to implement regulations aimed to prevent money laundering and terrorist financing, a new law aimed at strengthening existing Irish anti-money laundering legislation and giving effect to provisions of the 5th EU Money Laundering Directive has been approved by the Cabinet of the Irish Government.

On Monday 10th August 2020, the Cabinet has approved the publication of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020.  This follows the signing into law by the President of Ireland on 5th May 2020 of the earlier Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (Act 6 of 2010) [previously known as the Criminal Justice (Money Laundering and Terrorist Financing) Bill 2009 (Bill 55 of 2009)].

If you need advice on the new Bill or your existing regulatory compliance obligations, get i touch with Peter Oakes here at at CompliReg.  

Useful Links: 

• 10th August 2020, Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020 [will insert link once copy of new Bill located]
• 10th August 2020, Announcement of 2020 Bill receiving Cabinet Approval
• 16th July 2020, EU court fines Ireland €2m over delay in anti-money laundering rules
• 5th May 2020, Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (Act 6 of 2010)
• 5th May 2020, History of Act 6 of 2020
• 13th August 2020, LinkedIN post 
• Central Bank of Ireland AML/CFT Regulation Page

The Minister for Justice and Equality, Helen McEntee T.D., has received Cabinet approval for the publication of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020. The Bill transposes the criminal justice elements of the 5th EU Money Laundering Directive and strengthens existing legislation.

Upon announcing the new Bill, the Minister McEntee said, "I look forward to bringing this legislation before my colleagues in both Houses, and anticipate that this Bill will receive broad, cross-party support."

What does the Bill contain?

The Bill includes provisions to:

• improve the safeguards for financial transactions to and from high-risk third countries and sets new limits on the use of anonymous pre-paid cards;
• bring a number of new ‘designated bodies’ under the existing legislation, this includes virtual currency providers and associated online ‘wallet providers’ for virtual currencies as well as dealers and intermediaries in the art trade;
• prevents credit and financial institutions from creating anonymous safe-deposit boxes;
• enhance the customer due diligence (CDD) requirements of the existing legislation;
• provide for Ministerial guidance which will clarify domestic “prominent public functions.

 
The Minister also noted that: "This Bill is an important piece of legislation for tackling money-laundering. The reality is that money laundering is a crime that helps serious criminals and terrorists to function, destroying lives in the process. Criminals seek to exploit the EU’s open borders, and EU-wide measures are vital for that reason.

This new legislation also includes a number of technical amendments to other provisions of Acts already in force."

While the Bill transposes certain elements of the 5th Anti-Money Laundering Directive, the Department of Finance is also engaged in giving effect to certain provisions of the Directive, including those relating to:

• facilitating increasing transparency on who really owns corporate entities, financial vehicles and trusts by establishing beneficial ownership registers;
• ensure the creation of, and access to, centralised national bank and payment account registers or central data retrieval

The Minister for Finance (Paschal Donohue, T.D.) has also secured Government Approval to bring forward amendments in respect of the regulation of Virtual Asset Service Providers (VASPs). The amendments will ensure that the necessary registration and fitness and probity regime, required by 5AMLD for virtual asset service providers, become statutory requirements. Amendments will also address Ireland’s international obligations, relating to a robust regulatory framework for new technologies, new products and new practices, as identified by the Financial Action Task Force (FATF).

Here's a blueprint for inviting an enforcement action for cyber-fraud & misleading your regulator arising from Bank of Ireland's fine €1,660,000 announced today. [Linkedin Post Here]

What did Bank of Ireland do wrong?:

1) failed to implement sound administrative procedures & internal control mechanisms in respect of third party payments.

2) failed to introduce adequate organisational arrangements around third party payments to minimise the risk of loss of client assets as a result of fraud.

3) failed to establish, implement & maintain systems & procedures adequate to safeguard the security, integrity & confidentiality of client bank account details.

4) failed to establish, implement & maintain adequate internal control mechanisms designed to secure compliance with its reporting obligations pursuant to Sec. 19 of the Criminal Justice Act 2011.

5) failed to monitor adequacy & effectiveness of the measures & procedures put in place & the actions taken to address any deficiencies in respect of third party payments.

6) failed to be open & transparent, having the effect of misleading the Central Bank in the course of the investigation.

On 27 July 2020, the Central Bank of Ireland (the Central Bank) reprimanded and fined The Governor and Company of the Bank of Ireland (BOI) for five breaches of the European Communities (Markets in Financial Instruments) Regulations 2007 (the MiFID Regulations) committed by its former subsidiary, Bank of Ireland Private Banking Limited (BOIPB).  BOI has admitted the breaches, which vary in length from one to ten years.

In line with its published Sanctions Guidance, the Central Bank has determined the appropriate fine to be €2,370,000, which has been reduced by 30% in accordance with the settlement discount scheme provided for in the Central Bank’s Administrative Sanctions Procedure.

The Central Bank’s investigation arose from a cyber-fraud incident that occurred in September 2014 (the Incident).  Acting on instructions from a fraudster impersonating a client, BOIPB made two payments to a third party account totalling €106,430: one from a client’s personal current account, the other from BOIPB’s own funds.  BOIPB immediately reimbursed the client. During a Full Risk Assessment of BOIPB in 2015, the Central Bank discovered a reference to the Incident in an operational incident log. 

BOIPB had not reported the cyber-fraud to An Garda Síochána, and only did so at the request of the Central Bank over one year after the Incident.
​
The Central Bank’s investigation found serious deficiencies in respect of third party payments, including:

• Inadequate systems and controls to minimise the risk of loss from fraud
• Inadequate governance, oversight and ongoing review of the systems and control environment
• Lack of staff training and a culture in which fulfilling clients’ instructions was given primacy over security and regulatory requirements
• Lack of compliance monitoring.

BOIPB’s failure to be open and transparent had the effect of misleading the Central Bank in the course of the investigation.  BOIPB failed for a period of 19 months to disclose to the Central Bank an internal report, commissioned following the Incident, which identified ongoing systemic control failings in the processing of third party payments.  During that same period, BOIPB strenuously denied the existence of any such failings to the Central Bank in response to the investigation. BOIPB’s conduct materially added to the time it took to investigate this case.

This is one of two aggravating factors in this case; the other being the excessive amount of time it took BOIPB to fully remediate the relevant deficiencies.  Remediation in relation to third party payment processes took place in February 2016, 17 months after the Incident, and then only following the Central Bank’s intervention.  In August 2016, the Central Bank determined that a Risk Mitigation Programme (RMP) relating to third party payment processes was completed.

The Central Bank’s Director of Enforcement and Anti-Money Laundering, Seána Cunningham, said: “The Central Bank has a clear expectation that firms are alert to the real and increasing risks from cyber-fraud to the security of their clients’ deposits and confidentiality of their clients’ financial information, and put in place appropriate safeguards to protect their clients accordingly.

This is the second time the Central Bank has imposed a sanction on a firm where a client has suffered a loss from cyber-fraud as a direct result of the firm’s regulatory failings.  BOIPB’s failure to put appropriate safeguards in place exposed BOIPB and its clients to the serious and avoidable risk of cyber-fraud. That risk crystallised twice.  BOIPB then failed to report the cyber-fraud to An Garda Síochána, which is a serious matter.  Reporting illegal activity is essential in the fight against financial crime.

This case should serve to highlight to all firms the importance of ongoing vigilance in the area of cyber security.  The Central Bank expects all firms to consider, identify and manage operational and cyber risks and ensure that their staff receive appropriate training tailored to the risks associated with their duties and responsibilities.

The Central Bank expects pro-active engagement from regulated entities – that extends from self-reporting through remediation and full cooperation with the investigation. The excessive time taken by BOIPB to remediate identified deficiencies and the failure to be fully transparent and open in the context of the Central Bank’s investigation were aggravating features in this case.”

BACKGROUND
Founded in 1989, BOIPB was first authorised as a “section 10 investment business firm” under the Investment Intermediaries Act, 1995 (the 1995 Act) on 26 May 2000.  This authorisation was subsequently transferred to an authorisation under the MiFID Regulations on 1 November 2007.
At the time of the cyber-fraud, BOIPB was an independently regulated MiFID firm and its primary activity was to provide investment services to high net worth individuals who had investable assets in excess of €1,000,000. In addition, BOIPB provided a full range of banking services to its clients (lending, deposit taking and day-to-day current account banking) as a deposit agent of BOI.

Since 1 September 2017, BOIPB is no longer a MiFID firm and is now a business unit within the Retail Division of BOI. The unit retains the name Bank of Ireland Private Banking as a trading name of the Governor and Company of the Bank of Ireland. Its services are authorised by the Central Bank of Ireland under the licence of BOI, a regulated financial service provider for the purposes of the Central Bank Act 1942.  BOIPB’s audited financial statements for the year ended 31 December 2016, the last year it existed as a separate entity, reported operating income of €19,867,000.

THE CYBER-FRAUD
Third party payment instructions were processed by BOIPB with particular reference to a procedure called the Third Party Payments Procedure (the TPPP), which outlined steps to be followed to verify a client’s identity before processing a third party payment instruction. 

BOIPB processed two separate payment instructions received in September 2014, purportedly from a client (the Client), which in fact were sent by a cyber-fraudster (the Fraudster) who had hacked the Client’s e-mail account.  This led to two transfers totalling €106,430 to be transmitted to a corporate bank account at a UK bank.  The first transfer was drawn from the Client’s current account, and the second transfer was drawn, at the instigation and authorisation of BOIPB, from BOIPB’s suspense account because the payment from the Client’s deposit account was rejected due to insufficient funds.

The Client made contact with BOIPB and notified it of the fraud on 30 September 2014, on receipt of an e-mail from BOIPB indicating recent communications (which were unfamiliar to the Client).  The Client was immediately reimbursed by BOIPB.

To facilitate the instructions received from the Fraudster, BOIPB staff, in breach of BOIPB’s policies and procedures:

• Released confidential account details to the Fraudster in response to an email request
• Did not ask security questions of the Fraudster when taking transfer instructions and responding to requests for account balances over the telephone
• Did not use the telephone number held for the Client on BOIPB’s database, instead speaking to the Fraudster on a telephone number provided in a fraudulent e-mail instruction
• Did not have a second staff member complete a call-back to verify the request.

The Fraudster used the following tactics:

• “Email hijacking”: hacking the Client’s e-mail account and re-directing e-mails coming from BOIPB to a mirror image e-mail account secretly set up by the Fraudster to intercept communications coming from BOIPB in relation to the fraudulent payment requests
• “Social engineering”:  in communications with BOIPB staff, making reference to the purchase of a property, the name of the Client’s solicitor, and similar terminology to that used by the Client in other emails.
• BOIPB did not identify certain flags which could have been indicative of fraud.
• The Fraudster used the expression “Ireland Account” when referring to the Client’s current account
• One email sent by the Fraudster from the Client’s email account to BOIPB staff was signed off with an entirely different name than the name of the Client.  The name used was that of an unrelated client of BOIPB.  The BOIPB recipient of the email did not pick up this discrepancy, or if he did, did not query it
• The fraudulent instructions were suspicious in nature. They included: incorrect telephone details; the request for a second substantial transfer within two days of an initial substantial transfer in an amount greater than the balance on the Client’s account; and the remittance of funds to a jurisdiction other than the jurisdiction in which the Client resided.

 
PRESCRIBED CONTRAVENTIONS
The Central Bank investigation identified the following contraventions:

Contravention 1
BOIPB breached Regulation 33(1)(f)(i) of the MiFID Regulations between 1 November 2007 and August 2016 by failing to implement sound administrative procedures and internal control mechanisms in respect of third party payments.

The Central Bank’s investigation found that the TPPP was wholly inadequate for the purposes of safeguarding client deposits when processing third party payments.  In particular, key procedural, security and authorisation steps were not outlined in the document. Staff did not receive adequate training on the processing of third party payments to ensure they were fully aware of how to safely process these payments.

Contravention 2
BOIPB breached Regulation 160(2)(f) of the MiFID Regulations between 1 November 2007 and August 2016 by failing to introduce adequate organisational arrangements around third party payments to minimise the risk of loss of client assets as a result of fraud.

The serious weaknesses in the process around third party payments, which had existed for some time, should have been known to management through proper governance, oversight and monitoring. There was no monitoring of third party payments by the first or second lines of defence. Furthermore, the recommendations of the first internal report commissioned by BOIPB in relation to this matter, dated December 2014, were not acted on. Similar weaknesses were identified in a second internal report in January 2016. Remediation of the issues identified in both reports did not take place until February 2016. 

Contravention 3
BOIPB breached Regulation 34(3)(a) of the MiFID Regulations between 1 November 2007 and 2 January 2018 by failing to establish, implement and maintain systems and procedures adequate to safeguard the security, integrity and confidentiality of client bank account details.

The investigation found that for the purposes of customer service, BOIPB staff frequently engaged with private clients through e-mail.  E-mail communication, because it is more vulnerable to infiltration by fraudsters than other forms of communication, needs to incorporate additional checks before being acted upon. By failing to identify and provide for this, BOIPB failed to safeguard the security, integrity and confidentiality of information relating to client bank accounts.

Contravention 4
BOIPB breached Regulation 34(1)(c) of the MiFID Regulations between 30 September 2014 and 16 December 2015 by failing to establish, implement and maintain adequate internal control mechanisms designed to secure compliance with its reporting obligations pursuant to Section 19 of the Criminal Justice Act 2011.  

BOIPB reported the Incident to its Group Financial Crime Unit (GFCU) on 1 October 2014. GFCU, on behalf of BOIPB, did not report the Incident to An Garda Síochána until December 2015, on the instigation of the Central Bank.

Contravention 5
BOIPB breached Regulation 35(2)(c) of the MiFID Regulations by failing to comply with Regulation 34(4) between November 2013 and December 2016 because, for that period, BOIPB’s Compliance function failed to monitor, and on a regular basis to assess the adequacy and effectiveness of the measures and procedures put in place and the actions taken to address any deficiencies in respect of third party payments.

The TPPP included a requirement that ad-hoc monitoring of third party payments be carried out by the Compliance function. The investigation found that throughout the period November 2013 to May 2016, no ad-hoc monitoring of third party payments was in fact carried out.
This failure persisted despite two internal reports highlighting the absence of monitoring and the systemic non-adherence to the TPPP.

BOIPB’S RESPONSE TO THE CYBER-FRAUD AND REMEDIATION
The Central Bank expects firms to promptly remediate known deficiencies in their procedures and internal control mechanisms.  BOIPB failed to do so.

Following the Incident, BOI Group Internal Audit function (GIA) investigated how it had occurred. GIA produced their findings in a report in December 2014, which pointed to systemic failings in the processing of third party payments. GIA strongly recommended that BOIPB carry out sampling to verify the authenticity of other “high-value interpays”. BOIPB failed to do this. GIA further recommended, that, at a minimum, the procedure in place relating to third party payments should be enhanced to clarify roles and responsibilities for authenticating and approving third party payments. Again, BOIPB failed to do this. The procedure remained unchanged until February 2016.
In March 2015, BOIPB commissioned a further internal review, this time by BOI Retail Business Assurance (RBA) centred on BOIPB’s procedures for processing third party payments.

Separately, following the Full Risk Assessment (the FRA) conducted in 2015, the Central Bank informed BOIPB that improvements in relation to third party payment processes would be part of the subsequent RMP arising from the FRA as the process in place was “not robust enough”.  The RMP was issued in February 2016, which set out the Central Bank’s expectations in relation to the actions needed to improve the third party payment process.

RBA issued its findings in draft to BOIPB in January 2016 (the RBA Report).  Following an assessment of a sample of third party payment records, RBA concluded that the same issues identified in December 2014 persisted, namely that client identification questions were not consistently being asked of clients as well as other deficiencies in the third party payment process.

BOIPB updated and revised the TPPP in February 2016. The RBA Report was signed-off in June 2016.  In August 2016, the Central Bank determined that the full RMP was completed.

BOIPB’S COOPERATION WITH THE CENTRAL BANK
The Central Bank expects regulated entities to cooperate in an open manner at all times and to respond to requests promptly, effectively and accurately.

When the Central Bank’s investigation commenced in February 2016, BOIPB possessed the RBA Report which contained highly critical findings in relation to the processing of third party payments. As such, it was highly probative to the Central Bank’s investigation.

The Central Bank issued a request for records in February 2016.  BOIPB should have provided a copy of the RBA Report when it responded to this request in April 2016. BOIPB failed to do so, instead it included one vague narrative reference to a risk assessment of banking activities (making no reference to a “report” or the fact that it related to third party payments specifically) within a document accompanying the records it supplied in response to the Central Bank’s request.
BOIPB disclosed the RBA Report to the Central Bank 19 months after the commencement of its investigation in response to a Central Bank statutory request explicitly requiring production of the record BOIPB had described as a “risk assessment”.  It was only when the document was disclosed and reviewed that its true nature and content became apparent to the Central Bank. 

The Central Bank conducted lengthy enquiries as to the circumstances around BOIPB’s failure to promptly disclose the RBA Report and the following arose:

• BOIPB held the RBA Report back as it was in “draft format”
• BOIPB decided not to proactively provide the RBA Report to the Central Bank following its signing-off in June 2016.  Instead, it would provide the signed-off report to the Central Bank only if specifically requested to do so
• Notwithstanding BOIPB’s acceptance of the recommendations of the RBA Report, in the course of the Central Bank’s investigation:
• BOIPB made no reference to the existence of the RBA Report or its highly critical findings until after it was provided to the Central Bank in September 2017; and
• Until May 2018, BOIPB denied that there were any deficiencies whatsoever in its third party payment processes, despite the manifestly contrary findings of the RBA Report, available since January 2016.

SANCTIONING FACTORS
In deciding the appropriate penalty to impose, the Central Bank considered the ASP Sanctions Guidance issued in November 2019. The following particular factors are highlighted in this case.

The Nature, Seriousness and Impact of the Contravention

• The contraventions revealed serious weaknesses of the management systems and internal controls relating to the processing of third party payments. The Central Bank, at a minimum, expects that firms ensure that there are comprehensive written procedures and robust internal controls, with effective and appropriate oversight and governance afforded to these. BOIPB had a responsibility to have adequate controls in place to protect  its clients’ deposits, and those controls were not sound 
• There was an actual loss of client deposits and the continued exposure of those deposits to potential loss
• The breaches spanned the lengthy period from November 2007 to January 2018.

​
The Conduct of the Regulated Entity after the Contravention

Aggravating

• BOIPB’s level of cooperation was far below what is expected.  BOIPB failed to provide complete and timely information and documentation in response to the Central Bank’s investigation letter and statutory request.  It also provided information to the Central Bank that was imprecise and vague.  The cumulative effect was that the Central Bank’s investigation was frustrated and prolonged.
• BOIPB did not take remedial action in a timely manner to address the contraventions despite knowledge of the severity of the deficiencies and the attendant risk of further loss to client deposits.

Other Considerations

• The financial position of BOIPB (prior to being merged into BOI on 1 September 2017) and the need to impose a proportionate level of penalty.

The Central Bank confirms that the investigation is now closed.
 
NOTES

1. The fine imposed by the Central Bank was imposed under Section 33AQ of the Central Bank Act 1942. The maximum penalty under Section 33AQ is €10,000,000, or an amount equal to 10% of the annual turnover of a regulated financial service provider, whichever is the greater.
2. This is the Central Bank’s 137th settlement since 2006 under its Administrative Sanctions Procedure, bringing the total fines imposed by the Central Bank to over €105 million.
3. Funds collected from penalties are included in the Central Bank’s Surplus Income, which is payable directly to the Exchequer, following approval of the Statement of Accounts.  The penalties are not included in general Central Bank revenue.
4. The fine reflects the application of an early settlement discount of 30%, as per the discount scheme set out in the Central Bank’s Outline of the Administrative Sanctions Procedure 2018 which is here: link. 
5. A copy of the ASP Sanctions Guidance November 2019 is available here: link This guidance provides further information on the application of the sanctioning factors set out in the Outline of the Administrative Sanctions Procedure (see link above) and the Inquiry Guidelines prescribed pursuant to section 33BD of the Central Bank Act 1942 (a copy of which is here:  link.   These documents should be read together.
6. The European Communities (Markets in Financial Instruments) Regulations 2007 (S.I. No. 60 of 2007) were repealed and replaced by the European Union (Markets in Financial Instruments) Regulations 2017 (S.I. No. 375 of 2017) which are available link and the European Union (Markets in Financial Instruments) (Amendment) Regulations 2017 (S.I. No 614 of 2017) which are available here: link
7. Bank of Ireland Private Banking Limited  merged into The Governor and Company of the Bank of Ireland on 1 September 2017.
8. On 22 September 2015, the Central Bank sent a Dear CEO letter following its review of the management of operational risk around cyber-security within the investment firm and funds industry that is here: link On 13 September 2016, the Central Bank issued cross-industry guidance in respect of IT and cybersecurity risks that is available for download here: link
9. On 10 March 2020, the Central Bank issued an industry letter for the attention for the attention of all Board members and Senior Management of asset management firms and published findings of a Thematic Inspection into the cybersecurity risk management practices in Asset Management firms: link

​Further information:
Media Relations: [email protected] / 01 224 6299
Ewan Kelly: [email protected] / 086 463 9652

Download Westpac's Report released 17 July 2020 - Reassessment of the Culture, Governance and Accountability Remediation Plan

Linkedin Post at ​https://www.linkedin.com/posts/peteroakes_riskculture-riskmanagement-regtech-activity-6689803983407628288-ynbv


Here's a good 5 point list of root causes of non-financial risk issues at large systemically important banks & institutions (anywhere in the world). In this case Westpac, arising from a report ordered by the Australian prudential regulator.

Applicable to non banks and non systemically important institutions:

1. an organisational construct that creates complexity;
2. an "immature and reactive" #riskculture in non‑financial risk management;
3. a 'three lines of defence model' that is not well understood or embedded among bank staff;
4. the lack of sufficient non-financial #riskmanagement capability; and
5. challenges in execution and staying the course.

With Westpac's CEO responsible for its new initiative "customer outcomes and risk excellence" or CORE, #regtech will need to feature heavily in execution, tracking & learnings.

Professor Elizabeth Sheedy, a #riskculture expert saying that the latest report shows too often risk is seen as a handbrake by banks rather than an enabler for long-term success.
Westpac "admitted the "culture, governance and accountability program", set up in January 2019 to implement the reforms, "has not delivered sufficient momentum", with many in the bank still do not "fully appreciate the cumulative impact of the issues". Paul McCarthy

Copyright with Australian Financial Review and James Eyers

Westpac Banking Corp has been forced to launch a new program to attempt to fix its broad risk-management failings, after a reassessment of its culture demanded by Australian Prudential Regulation Authority identified ongoing concerns, including that its non-financial risk culture is still "immature and reactive".

The new report identifies a lack of urgency and clarity in Westpac's response to problems it identified in a 2018 self-assessment of governance, which were exacerbated when AUSTRAC dropped a bombshell case last November that triggered the departures of the bank's CEO and chairman.

The Australian Prudential Regulation Authority insisted on the reassessment because it was concerned Westpac was not tackling the root causes of its failings when it read AUSTRAC's statement of claim. The latest investigation found Westpac is still "overly complex, which results in confusion around accountability and challenges in execution".

The shortcomings identified in the report, which was sent to all of Westpac's 35,000 staff on Friday morning, found Westpac's organisational structure created complexity, and its 'three lines defence' model, which is supposed to prevent risks materialising, "is not well understood or embedded".
The report highlights a "shortfall in sufficient non-financial risk-management capability" and says that even though Westpac has made various changes to respond to issues, "what is required is a program of deeper change".

It criticised an ongoing blame game, stating a priority for its work on culture "will be to strengthen psychological safety" for staff after the reassessment found "in some situations leaders had reacted to incidents with a focus on who is to blame rather than what to learn".
Many of the same failings were identified in the bank's self-assessment for APRA in 2018, after all banks were asked to audit themselves against the prudential regulator's expectations for fixing widespread cultural problems at Commonwealth Bank of Australia. The Hayne royal commission should also have emphasised the urgency of repairing culture to meet community expectations and restore trust.

But Westpac recognised on Friday the changes it has been making to respond to the 45 recommendations set out in its 2018 self-assessment had been "incremental". It admitted the "culture, governance and accountability program", set up in January 2019 to implement the reforms, "has not delivered sufficient momentum". It said many in the bank still do not "fully appreciate the cumulative impact of the issues".

“Our reassessment confirms that our management of non-financial risk is currently not at the standard we set for ourselves," said Westpac CEO, Peter King, releasing the 50-page report to the ASX.
“It is clear we have more to do to address these shortcomings, including improving our risk management capability and risk culture which is not where we want it to be."

APRA is continuing to investigate possible breaches of the Banking Act by Westpac, including the speed at which it has rectified issues identified by AUSTRAC. APRA has already imposed a $1 billion capital penalty on the bank to reflect its "heightened operational risk profile".

At the CORE

Westpac on Friday announced it would initiate a multi-year, multi-million dollar program, which it is calling "customer outcomes and risk excellence" (CORE). Mr King said he would be accountable for its delivery.

The reassessment said Mr King, who replaced Brian Hartzer as CEO, and the Westpac board, now led by John McFarlane who took the reins from Lindsay Maxsted, need to take more responsibility and set a proper "direction and tone" about the importance of the measures.

The report – which was conducted by Westpac management and a team from consultants Oliver Wyman together with assurance oversight by another consulting firm, Promontory – pointed to five ongoing "root causes" of Westpac's travails.

These are: an organisational construct that creates complexity; an "immature and reactive" risk culture in non‑financial risk management; a 'three lines of defence model' that is not well understood or embedded among bank staff; the lack of sufficient non-financial risk management capability; and challenges in execution and staying the course.

"Westpac does not underestimate both the magnitude of the changes that are required and the effort involved."

Professor Elizabeth Sheedy, a risk culture expert from Macquarie University, said the latest report shows too often risk is seen as a handbrake by banks rather than an enabler for long-term success.

"For me it all comes back to excessive focus on short-term profits which is driven by short-term cash bonuses," she said. "There is also a massive shortage of qualified and experienced risk and compliance executives across the industry. Institutions tend to want to keep budgets very tight when it comes to resourcing risk and compliance, which sends a message about organisational priorities."

It is expected that Westpac will look to make additional cost savings in order to pay for additional investment that will be required to improve risk systems.

The report was released after Mr McFarlane warned in an interview with the Financial Review on Friday that excessive financial regulation could make it more difficult for banks to lend and hamstring the economic recovery.

Westpac has been negotiating with AUSTRAC over a potential settlement of the anti-money laundering case, with the financial crimes regulator due to file an amended statement of claim next month to incorporate broader allegations that the bank should have suspected another 270 customers were paedophiles.

It is also waiting for a decision from the Australian Securities and Investments Commission on whether it will appeal the bank's responsible lending victory in the full Federal Court last month to the High Court.


James Eyers writes on banking, fintech and technology. Based in our Sydney newsroom, James is a former Legal Affairs and Capital editor for the Financial Review Connect with James on Twitter. Email James at [email protected]

Source: https://www.afr.com/companies/financial-services/westpac-culture-still-immature-and-reactive-20200717-p55cxa

If you use all or any part of this blog, please ensure you cite and credit CompliReg and Peter Oakes in your re-use of this blog.


Another electronic money institution (EMI) fined and sanctioned in Lithuania for anti-money laundering regulatory requirements and in this case also for an equity capital requirement failure. 
 
While the case is worth noting for both aspects, it is particularly so because across Europe, following the collapse of Wirecard, there will be continuing heightened awareness of both safeguarding and capitalisation of regulated EMIs and payment institutions (PIs). The case also makes known that the BoL is conducting targeted inspections of EMIs across a range of themes.
 
In our previous blog, 2 June 2020, on the Lithuanian Central Bank (Bank of Lithuania / BoL) giving banks guidelines on opening accounts for electronic money institutions (EMIs) and payment institutions (PIs) Peter Oakes noted recent examples of fines against EMIs/PIs including failures to comply with requirements for: (i) anti-money laundering; (ii) safeguarding of customer funds; and (iii) segregation of customer funds and; execution of payment transactions. 
 
The Bank of Lithuania, which supervises 71 EMIs - which is the largest number of EMIs supervised by an EU financial regulator national competent authority* - has announced that it has taken regulatory action against Via Payments UAB for both:
 
(1) violations of the requirements for prevention of money laundering and terrorist financing (sanctioned with a fine of €120,000 and publicity); and
(2) failure to meet the equity capital requirement (sanctioned with publicity only).
 
Via Payments UAB holds an electronic money institution licence, issued on 10 October 2017.

As you will see from the graphic below, in addition to BoL supervising 71 EMIs we also learn that Q1 2020 income from EMI and payment services amounted to €17.3 million.

Keep reading below for the background to the facts of the Via Payments UAB enforcement action. 

(1) Background to the money laundering law violations:

The regulatory actions were taken on foot of a "targeted inspection of the electronic money institution Via Payments UAB". During the course of the inspection, the Supervision Service of the BoL identified breaches of the Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing. In addition to a fine of €120,000, the BoL obligated Via Payments to remedy the deficiencies.

BoL says that Via Payments has confirmed that all deficiencies have been remediated.
 
With respect to the money laundering violations, the inspection revealed that:

• customer risk assessment procedures applied by the institution did not allow for the ensuring of proper allocation of customers into risk groups.
• customer’s beneficiary’s information was not, in all cases, checked against reliable and independent sources.
• information about the purpose and nature of the customer’s business relationship was not received.
• there were shortcomings in procedures to determine whether the customer was a politically exposed person.
• Via Payments did not take the appropriate measures to identify the source of the funds of high-risk customers.
• there were deficiencies found in the mandatory ongoing monitoring of business relationships and transactions.

 
BoL imposed a fine of €120,000 on Via Payments UAB.  As part of its mitigation Via Payments informed the BoL’s Supervision Service that it had already taken measures to strengthen its AML compliance by increasing the number of specialists and improving technological solutions.
 
 (2) background to the equity capital requirement failure
​
This regulatory failure came to the attention of the BoL through a separate analysis of the activities of EMIs.  Here the Supervision Service of the BoL recorded that Via Payments violated legal acts because as at 31 March 2020 the company “failed to meet the equity capital requirement”.  The BoL appears to have place a lot of reliance on the institution having “eliminated the indicated shortcomings without further delay, no interests of their clients have been violated” and therefore BoL “decided to impose a mild enforcement measure by making these infringements public”.
 
 
* Note that notwithstanding that the UK is in a post-Brexit transition period, it left the European Union on 31 January 2020.  Accordingly, Lithuania although it may have fewer EMIs than the UK, it records the largest number of EMIs in the European Union.
 
Sources:

• https://www.lb.lt/en/news/view_item/id.11484
• https://complireg.com/blogs--insights/lithuanian-central-bank-gives-banks-guidelines-on-opening-accounts-for-electronic-money-and-payment-institutions-some-examples-of-fines-against-emoneypayments-firms

 
This blog written by Peter Oakes.  Peter  advises on Lithuanian EMI/PI issues and advised on the authorisation of one Lithuania's first special bank authorisations.  If you require a licence to operate in Lithuania, Ireland, Cyprus, Malta or the UK, see our Authorisation Page.  We have a great network of experts in each country too, from lawyers, to accountants to technical experts. And get in contact if you have a question about this blog.

This post first appeared on Peter Oakes's Linkedin Page on 3 July 2020.  Given the high level of interest in the post, we have published further information here about the details of the case.

One for the money laundering typologies.

This is a useful example to demonstrate how a corrupt solicitor can launder money for clients.

ow many times has the compliance department been told "Hey its OK, the client is being vouched for by his / it's lawyer. We don't need proof of source of funds or wealth". Well here's the story of the gangsters' 'go to' solicitor.

• Father-of-three Ross McKay, 39, formerly of Wilmslow, United Kingdom agreed to be struck off the roll.
• ​McKay was jailed for 7 years back in January 2019 for helping fraudsters develop a multi-million-pound property portfolio.
• McKay was responsible for more than 80 property transactions for various criminals, all of whom were subsequently convicted of offences including money laundering and fraud.
• McKay was the conveyancing solicitor who gave a 'veneer of respectability' in a series of illicit properties deals masterminded by Scott Rowbotham, 35 years of age. Businessman Rowbotham managed 88 homes and made huge profits.
  McKay, of Wilmslow, was jailed for seven years leaving wife and children behind
• During McKay's trial, Manchester Crown Court was told he was the gangsters’ ‘go-to’ solicitor who would carry out property transactions without asking questions about where money had come from.  The trial also heard McKay represented Billy Black, a friend of killer Dale Cregan.  Black is currently serving 22 year for fraud and drugs offences. 
• Rowbotham accumulated around £500,000 a year in rent from his property empire, getting mortgage lenders to hand over huge amounts by lying about his income.  Rowbotham told clients he was an operations manager for a TV company with a salary of £48,000 a year - but the fake pay slips covered up the reality - that he had only declared £1,000 in income and £18.20 in tax over 11 years. 
• Rowbotham's girlfriend was also pocketing £20,000 in tax credits at the time.   
• Worked for two clients on total purchases worth more than £7.3m.
• Assisted them in the acquisition of criminal property.
• The court was told that deposits were put down on property where the source of funds was disguised and mortgage applications used nominees instead of the names of the legitimate purchasers.
• Mortgage applications used nominees instead of names of legitimate purchasers.

Read more at:
​
2 July 2020 - Solicitor jailed over money laundering links is now struck off
8 January 2019 - 'Go to' solicitor for dodgy property deals jailed for seven years
7 January 2019 - Corrupt lawyer, 39, linked to police killer Dale Cregan is jailed for seven years after he helped a buy-to-let landlord use dirty money to fraudulently build a £10.8m property empire - 

For advice and training on anti-money laundering and counter-terrorist financing contact Peter Oakes at CompliReg.

Australian Bank giant Westpac is expecting to fork out more than $1 billion as a result of its money laundering scandal and admitting to 23 million anti-money laundering breaches.

It's not just story about culture, conduct risk and financial crime risks.  Far more importantly, it is a story of shame, leadership failure and financial pain for Westpac and relief for another Aussie bank.
 
The fine would be the biggest corporate fine in Australian history. Westpac has revealed it expects the ongoing AUSTRAC investigation will cost it $1.03 billion.  Such a fine will represent about 15% of the bank's 2019 profit.
 
Shame: In November last year AUSTRAC, the entity responsible for preventing financial crimes, said the bank had violated anti-money laundering and counter-terrorism laws more than 23 million times (which the bank admits), allowing money tied to child exploitation in south-east Asia to flow freely. For example, Westpac's system was used by paedophiles to send money to the Philippines to pay for child abuse material without raising any red flags.   Notwithstanding Westpac's admission, the bank is not going down without a fight.  In the 57-page defence document filed with the court, Westpac denied AUSTRAC'S accusation that it failed to identify activity indicative of child exploitation risks.
 
Leadership Failure: The scandal brought down Westpac's leadership, forcing the resignation of chief executive Brian Hartzer and the early retirement of chairman Lindsay Maxsted.
 
Financial Pain: Last year Australian financial press reported that a penalty or settlement of $2 billion or $3 billion would see its CET1 ratio falling below 10.5% meaning the bank would be forced into another equity raising. And the trouble doesn't stop there for Westpac as the corporate regulator, ASIC, is probing into Westpac's previous $2.5 billion equity raise.
 
Relief: Commonwealth Bank will be delighted to pass the mantle of the indignity of Australia's current money laundering record fine of $700 million to Westpac (Commonwealth Bank was fined for systemically failing to report around 54,000 suspicious transactions made through its "intelligent deposit machines").
 
If you want more on the story from the media, there are updates on an almost weekly basis  - soon I guess daily basis.  Just use this link to keep track of the story:  "Westpac Austrac money laundering fine".

And add case to your case studies and typologies in your AML / CTF training for everything from CDD, transaction monitoring, risk assessment, culture, condusct risk and (lack of) crisis management.

Peter Oakes, Founder, CompliReg
​
Peter Oakes is an experience anti-financial crime, fintech and board director professional.  He served as Ireland's first Director of Enforcement and Financial Crime Supervision at the Central Bank of Ireland (2010-2013) in the aftermath of the financial crisis, leading the investigation and enforcement efforts into the Irish banking industry.  Peter is a regular contributor to, and moderator and panel member at, ACAMS events.

European Supervisors Instructed to Challenge Banks More Frequently.  Peter Oakes discusses this topic with Gabriel Vedrenne, ACAMS MoneyLaundering.com

CLICK HERE

EU inches towards uniform AML rules and supervision. Peter Oakes discusses this topic with Gabriel Vedrenne, ACAMS MoneyLaundering.com

​CLICK HERE