When a compliance failure at a major Australian company claims its chair, CEO, and chair of the board’s risk and compliance committee, it makes sense for boards in all sectors to look for lessons about their own role and responsibilities in managing non-financial risk.
Launched in November 2019, AUSTRAC’s civil prosecution of Westpac for breaches of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF) did just that. In response, Westpac commissioned a review — conducted by Dr Ziggy Switkowski AO FAICD, Dr Kerry Schott AO and Colin Carter AM FAICD — on board governance of financial crime compliance in the bank. In May 2020, Westpac admitted most of the breaches alleged by AUSTRAC. In June 2020, it released the findings of the board review to the market.
The review asked two important questions: whether board processes overall were adequate, and whether “diligence by directors” was adequate. For shareholders and other stakeholders, the questions go to whether the board could or should have done something different to avert the bank’s significant AML/CTF compliance failures.
The review panel found that “the way in which the Westpac board organised its general governance responsibilities was mainstream and fit for purpose”. It also “noted that, with the benefit of hindsight, and noting the board’s escalating focus in the area, directors could have recognised earlier the systemic nature of some of the financial crime issues Westpac was facing”. And significantly, that “reporting to the board on financial crime matters was at times unintentionally incomplete and inaccurate”.
In other words, the review didn’t identify anything that, at the time, a reasonable board would have done much differently in the circumstances. But the report is noteworthy because it raises — without resolving — two important issues about the responsibility of boards in connection with compliance failures.
The first is the widening expectation gap over the role and reach of boards in compliance. The review panel says, “Assessing whether a board has done well or poorly is substantially determined by views about what boards can and cannot be expected to do. This is something of an ‘elephant in the room’ issue. It is rarely discussed, but is central to our considerations. And here we see society’s steadily increasing expectations, which are not necessarily well founded, on what boards are set up to achieve.”
The Westpac board comprised nine non-executive directors and the CEO. Non-executive directors cannot and do not manage the day-to-day business operations of the entity. The panel says, “Discussions about the responsibilities of board members rarely touch on what is realistically feasible for them to achieve. In risk management, are they an additional line of defence conducting detailed diligence; or rather a high-level overseer of risk management strategy and policy and a high-level monitor of risk management competence and effectiveness? To what extent can boards be expected to pick up major mistakes deep inside their company?”
Of course, corporate lawyers and corporate law academics have these discussions all the time. The law requires that individual directors and other officers act with the degree of care and diligence that a reasonable person would exercise in their position. This includes responding to a foreseeable risk of harm to the entity resulting from a compliance failure. Lawyers look for what is a “reasonable” response on the part of the individual to the risk in all the circumstances, judged without hindsight bias. Most board members proceed on the basis that the board as a whole has an active and collective duty of oversight over management’s risk and compliance practices and accountabilities, with red or amber flags triggering a more active inquiry and, if necessary, intervention. The role of board members is not to be a fourth line of defence in risk management.
The complexity is in determining what a reasonable board should do. If regulators and courts move in the same direction as public sentiment and expect of boards something they cannot feasibly achieve, the current governance model of unitary boards comprised of mostly non-executive directors will quickly become unsustainable. This is where the review panel’s question about the role of the board comes in. Regulators’ selection of future enforcement actions against individuals implicated in corporate compliance failures — and the courts’ application of the duty of care in those cases — will be decisive.
For shareholders and other stakeholders, the questions go to whether the board could or should have done something different to avert the bank’s significant compliance failures.
The second issue that emerges from the Westpac review concerns the information provided by management to the board. The authors of the Westpac report concluded that: “Board processes, and the information flow to the board and its committees, were adequate. However, there was a problem with the content of information”. Noting that it was beyond their scope to address management failings, they observed that, “When a board is not getting correct information or matters are being omitted, its task is made impossible. There is absolutely no evidence that these errors were intentional or were motivated to mislead the board. The simple fact is that management did not know and hence could not inform the board until they did know.”
As the Westpac board found, there is no easy fix to this problem. Ensuring that the information provided to the board about key risks is complete and correct is always difficult. In information, quality is not the same as quantity. Asking the right questions is important, but Donald Rumsfeld’s “unknown unknowns” will always be over the horizon.
In the end, the Westpac review panel made several recommendations for strengthening the board’s processes. Westpac’s wide-ranging and expensive culture, governance and accountability (CGA) self-assessment, provided to the prudential regulator in 2019, is being “reassessed” in light of the AML/CTF breaches. The panel encouraged “end-to-end visibility and ownership of processes” — which it felt was absent from the bank’s multi-brand and matrix organisational model. It also noted that this is “a bigger risk for those processes which do not have a loud corporate voice and are characterised by non-financial key performance indicators, which are not monitored daily as are financial metrics, customer statistics and the like”.
The panel also identified “three types of monitoring required: monitoring the many financial crime risks facing Westpac, monitoring the risk management framework to ensure it remains appropriate and proportionate to those risks, and monitoring the transactions and activities of customers”. It observed that “the ‘traffic light’ scoring system for conforming to the risk appetite is one monitoring tool used, but deeper issues also need routine consideration and perhaps different types of reporting”.
Significant compliance failures, such as Westpac’s AML/CTF breaches, expose an entity to regulatory sanctions and litigation risk, and damage its standing with key stakeholders. Boards can expect regulators to continue to focus on both corporate and individual accountability in these situations.