Westpac 2020: $920M Enforcement Action

What happened?

AUSTRAC filed civil penalty proceedings against Westpac Banking Corporation in the Federal Court of Australia on 20 November 2019. The statement of claim alleged 23 million contraventions of Australia's Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), spanning failures across multiple years.

The largest category involved International Funds Transfer Instructions (IFTIs). Westpac allegedly failed to submit over 19.5 million IFTIs to AUSTRAC between 2013 and 2019. IFTIs are mandatory reports required whenever funds move internationally. Failing to submit them removes financial intelligence from the regulator and limits its ability to detect cross-border crime.

Westpac also failed to pass required originator information in SWIFT messages sent to correspondent banks overseas. The receiving banks couldn't see who was sending the money.

The most damaging allegation involved LitePay, a low-cost international payment product. According to AUSTRAC's statement of claim, Westpac failed to implement monitoring controls adequate to detect patterns consistent with child sexual abuse material (CSAM) payments, particularly transfers to accounts in the Philippines. AUSTRAC alleged approximately 268 customers sent transactions consistent with this activity.

The proceedings became public immediately. Westpac CEO Brian Hartzer resigned in late November 2019 following a board decision. Chairman Lindsay Maxsted announced he'd accelerate his retirement.

In September 2020, Westpac and AUSTRAC agreed to a proposed AUD $1.3 billion penalty. The Federal Court of Australia approved the settlement. It was the largest civil penalty in Australian corporate history at that time.

What did regulators say?

AUSTRAC CEO Nicole Rose, in the September 2020 press release announcing the agreed penalty, described the failures as "serious and systemic." The regulator stated that Westpac's non-compliance "was the result of systemic failures in its control environment and a failure to give AML/CTF compliance the priority it required."

According to AUSTRAC: "Westpac's failure to implement appropriate transaction monitoring programs, and its failure to submit IFTI reports to AUSTRAC, meant that opportunities to detect, disrupt and prevent serious crime, including child exploitation, were lost."

The press release noted that Westpac cooperated with the investigation and took steps to address identified failures. Cooperation was a factor in the agreed penalty, though AUD $1.3 billion still represented the largest civil penalty in Australian corporate history at that time.

The Federal Court order went beyond the financial penalty. Westpac was required to appoint an external auditor to assess its AML/CTF compliance program and report on remediation progress. This type of provision is now standard in large AML enforcement outcomes: regulators want durable structural change, not just a settlement payment.

What controls failed?

Several distinct control failures contributed to the scale of Westpac's liability.

IFTI reporting gaps. Westpac's systems failed to submit over 19.5 million IFTIs to AUSTRAC between 2013 and 2019. The gap ran for years undetected internally. That points to an absent automated reconciliation control: no system was comparing payment volumes against AUSTRAC submission counts. For a bank processing millions of international transactions, manual verification of reporting completeness isn't realistic. AUSTRAC's compliance program guidance is clear that reporting entities bear responsibility for the completeness and accuracy of their submissions.

Correspondent banking information failures. Westpac failed to include required originator information in SWIFT messages to overseas banks. This stripped correspondent banks of what they need for their own due diligence, inconsistent with the obligations under FATF Rec 13 (FATF). The originator's name, account number, and address must travel with the wire transfer.

Inadequate transaction monitoring on LitePay. The product was built for speed and low cost. Those features carry specific risk: high volume, cross-border flows, and reduced identification friction. Westpac allegedly failed to configure monitoring rules that reflected LitePay's risk profile, including the CSAM-related patterns AUSTRAC had documented in its typology guidance.

Customer due diligence failures. For customers presenting elevated risk signals, Westpac allegedly didn't conduct the enhanced due diligence required under Australia's AML/CTF Rules, consistent with FATF Rec 10 (FATF).

Governance. Failures that persist over years and millions of transactions point to a compliance function that lacked the board-level priority or resources to identify and fix gaps before the regulator did.

Which regulations were violated?

The primary legislation is Australia's Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act 2006), which implements Australia's obligations under the FATF framework domestically.

The specific provisions breached included:

• Part 3 of the AML/CTF Act: the obligation to submit IFTIs to AUSTRAC for qualifying international transactions. Westpac breached this on over 19.5 million occasions.
• AML/CTF Rules, Chapter 15: requirements to include originator information in international wire transfers, consistent with FATF Rec 16 (FATF) (the Travel Rule), which requires sender information to travel with each wire transfer from source to destination.
• Part 2 (Customer Due Diligence): obligations to conduct appropriate CDD and enhanced due diligence for high-risk customers, consistent with FATF Rec 10 (FATF).
• Part 7 (Ongoing CDD and Transaction Monitoring): the obligation to maintain a program to detect and report suspicious activity, consistent with FATF Rec 20 (FATF).

Australia's AML/CTF Act also requires reporting entities to adopt a risk-based approach to compliance, consistent with FATF Rec 1 (FATF). Westpac's failure to tailor LitePay's controls to its specific cross-border risk profile was a failure of this foundational requirement. FATF's assessment of Australia has consistently underscored the expectation that financial institutions match controls to product-level risk.

The 23 million contraventions reflect how a single systematic gap, running undetected for years, accumulates into a record-breaking liability.

Which typologies were involved?

Three typologies are identifiable from the public record.

Cross-border payment opacity. The failure to submit 19.5 million IFTIs removed financial intelligence from AUSTRAC's view at scale. Funds moved internationally without the mandatory reporting that allows AUSTRAC to trace flows and share intelligence with overseas agencies. At correspondent level, incomplete SWIFT messages compounded that gap: the receiving bank couldn't see who was sending the money.

Child exploitation payments. This is the typology that made Westpac's case internationally significant. AUSTRAC alleged that transactions through LitePay showed patterns consistent with payments to CSAM operators in the Philippines. The specific pattern, regular small transfers to individual accounts in known high-risk jurisdictions, is documented in financial intelligence typology guidance. AUSTRAC had published indicators for this pattern before the proceedings were filed. Westpac's monitoring rules didn't detect them.

Customer risk profiling failure. For a subset of customers who should have triggered enhanced scrutiny, controls were absent or not functioning. This maps to a breakdown in ongoing customer risk assessment: risk profiles didn't update as transaction patterns emerged, and the enhanced due diligence that should have followed was never triggered.

For compliance teams managing cross-border payment products, these three typologies are a practical checklist. Each is detectable with the right monitoring configuration. The question is whether your rules have been tested against documented patterns.

Aftermath and remediation

The AUD $1.3 billion penalty (approximately USD $920 million) was approved by the Federal Court of Australia in September 2020. It's one of the largest civil penalties in Australian corporate history.

CEO Brian Hartzer resigned in late November 2019, within days of AUSTRAC filing proceedings. Chairman Lindsay Maxsted accelerated his planned retirement. CFO Peter King became CEO and led the bank's remediation program.

The Federal Court order required Westpac to appoint an external auditor to assess its AML/CTF compliance program and report on progress. This monitorship provision is now standard in large AML enforcement outcomes: regulators want documentary evidence of change over time, not just an agreed statement of facts.

Westpac publicly disclosed a remediation program called CORE (Customer Outcomes and Risk Excellence). The bank committed to expanded headcount in financial crime compliance, new transaction monitoring systems, and external senior compliance hires.

Reputationally, the case was severe. The child exploitation dimension generated sustained political and media attention across Australia. The bank faced parliamentary scrutiny and calls for accountability beyond the civil settlement.

Westpac's share price fell sharply when AUSTRAC filed in November 2019 and stayed under pressure through the settlement period.

The case prompted AUSTRAC to signal that large institutions are expected to invest in compliance proportionate to their transaction volumes and risk profiles. It's a position the regulator has maintained since.

Lessons for other institutions

Several concrete lessons come from Westpac's failures.

New products need dedicated risk assessments. LitePay was built for speed and low cost. Those features carry specific risk: high volume, cross-border flows, less friction on customer identification. Banks that launch payment products without modelling those characteristics into monitoring rules set themselves up for exactly this outcome. Product risk assessments belong at the design stage, not after enforcement.

IFTI and Travel Rule reporting must be verified automatically. Westpac's gap ran for years undetected. That means no reconciliation control was checking whether every qualifying international payment generated a corresponding IFTI. A feed comparing payment volumes against regulator submission counts would surface any gap quickly. It's straightforward to build and easy to justify to a board.

Correspondent banking relationships need periodic testing. SWIFT message completeness should be audited on a schedule, not just confirmed at initial setup. The obligation to pass originator information to correspondent banks is ongoing. It breaks silently if nobody's checking.

Escalation paths need to be used. Multi-year failures across millions of transactions suggest compliance concerns weren't reaching board level with appropriate urgency. Post-Westpac, regulators in Australia, the UK, and the US have been explicit: boards are expected to be aware of material compliance gaps, not just receive summary reporting.

Calibrate monitoring against documented typologies. AUSTRAC published indicators for CSAM-related payment patterns before this case. Regularly testing your monitoring rules against published typology guidance is a gap analysis you can do internally. If your rules don't detect a known pattern, that's a finding that needs fixing before a regulator finds it for you.

How FluxForce helps prevent similar failures

FluxForce monitors international payment flows in real time and flags IFTI reporting gaps before they accumulate. Behavioral analytics across correspondent banking channels detect anomalous transfer patterns that static rule engines miss. These include the small-regular-transfer patterns documented in CSAM typology guidance. Automated suspicious matter report drafting cuts analyst review time, and every decision is stored with a full evidence trail ready for regulatory examination. For compliance teams looking to close the gaps this case exposed, the FluxForce demo shows how these controls work in practice.