Next month, Westpac’s new chairman faces Australia’s “biggest breach of anti-money laundering laws”, but there’s more at stake — in every country affected by such laws — than most reports suggest. A vigorous regulator is tipped to beat its record-breaking penalty against another major bank, amidst “significant” claims against a third. On the other hand, growing enforcement successes obscure uncomfortable realities about the impact on crime.
Breathless reporting obscures sad reality
In November, Westpac, Australia’s oldest bank, was charged with 23 million breaches of anti-money laundering laws, including allegedly overlooking payments potentially indicative of sex exploitation overseas.
Most reporting is scrupulously accurate, yet misleading. Missing from most of the thousands of published reports is a broader perspective.
Curated to highlight its most salacious claims, the regulator’s announcement unsurprisingly generated excited commentary calling the “bombshell revelations” “deeply troubling”, “incredibly concerning” and “about as serious as it gets”. Penalty predictions of $1 billion or more ease the regulator’s burden. Bloodied corporates often settle, to stem the damage. AUSTRAC, Australia’s anti-money laundering regulator, might get to claim another “success” without proving its case (or explaining how it overlooked a glaring gap in the number of reports it should have received).
Westpac’s initial response suspended managers’ bonuses, boosted compliance funding by $80 million, and pledged tens of millions of dollars to schemes combatting child exploitation. Soon after, the bank’s chief executive resigned, its chairman announced early retirement, and Westpac entered crisis talks with investors amidst fresh regulatory investigations and a “precipitous slide” in its share price. The bank risked losing major government contracts, was hit with a $500 million capital charge and class actions, and saw $4 billion wiped from its market value.
The pressure on Westpac continues. Two weeks ago, a Victorian man “suspected of using [Westpac’s] transfer system” was arrested for allegedly “attempting to arrange for a child to be exploited” in South-East Asia. AUSTRAC announced Wednesday the arrest of a 63-year old Sydney man “accused of travelling to the Philippines to sexually abuse children” last month, after tracking 395 payments averaging $286 to overseas recipients “over a number of years”. The Bank of Philippines and 10 unnamed financial institutions linked with Westpac in that country are under investigation.
So far, it’s much like every other bank scandal. However, the case against Westpac, like many others, obscures disturbing issues about information not widely reported; about the anti-money laundering system itself.
Three decades of complex compliance and intense regulatory activity has long obscured harsh realities, like the puny impact on crime, and that a regime ostensibly protecting economies itself harms developing countries, ordinary people and legitimate businesses. Westpac’s panicked response, closing one of the few remaining low-cost international funds transfer schemes, likely added to such harms — adversely affecting Pacific and Asian families dependent on remittances from Australia.
A newly released economic analysis also reveals a money laundering paradox — where the anti-money laundering regime further harms developing countries. Jurisdictions with the most ‘effective’ money laundering controls, according to international ratings, were found more likely to harbor the wealth of Isabel dos Santos, the daughter of Angola’s former president, accused of amassing a multi-billion dollar fortune exploiting her impoverished country, than countries with anti-money laundering ‘deficiencies’. Similar findings were made in the Troika Laundromat, which funneled billions of dollars out of Russia. “To make things worse”, Matthew Collin added, “developing countries are more likely to be punished” for not meeting standards, while rich countries meeting them are more likely to host illicit wealth stolen from such nations. (My own research explains why a method intended to evaluate the ‘effectiveness’ of anti-money laundering regimes is currently unable properly to evaluate effectiveness as it purports).
It’s too early to say how the Westpac case will ultimately play out (child exploitation allegations are always serious, and one commentator reckons that “massive, high-level cross-border tax evasion” on an “industrial scale” might be found), but separating some of the wheat from the chaff helps focus on other things that matter too.
Much attention was given to charges alleging over 23 million breaches of money laundering controls. Commentators compared it with Commonwealth Bank’s A$700 million penalty, with “just” 53,000 breaches.
While the number of breaches may influence the size of any penalty, it is virtually meaningless in terms of the severity of any underlying criminal activity.
For example, not reporting a few dozen transactions might be enough to help Mexico’s notorious Sinaloa cartel refinance its operational capabilities and invest billions of dollars in real estate. On the other hand, a software glitch overlooking a million Flight Centre transactions might reveal nothing more than the travel plans of ordinary people.
Symptomatic of a compliance culture measuring activity rather than results is the sheer number of alleged breaches. AUSTRAC might be required to add up each transaction, but the apparent precision of 23,032,422 ‘breaches’ (and others “too voluminous to quantify”) adds fuel to the media fire rather than any meaningful understanding of the case against Westpac.
The (less exciting) truth is that the regulator’s claim lists fewer than a dozen types of breach.
Big numbers, distilled
About 19.5 million alleged breaches involve ‘international funds transfer instructions’ (IFTI’s). These are payments between Westpac and overseas banks (known as correspondent banks) to process transactions for each others’ customers. These must be reported to AUSTRAC within 10 days, with details about the origin of the funds passed on to other banks for processing.
AUSTRAC says that Westpac reported IFTI’s late, often by a considerable margin. Of the 19.5 million IFTI’s, about 2,000 weren’t reported, and 10,500 didn’t have the full information required. Another 3.5 million alleged breaches involve the bank’s data retention system deleting transactions earlier than mandated.
In addition to these automatic filings, banks must report ‘suspicious’ transactions. This doesn’t mean suspicious in the sense of necessarily involving any criminal activity. Typically, they’re unusual transactions, or match known methods criminals might use.
AUSTRAC also claims that Westpac didn’t review its systems and correspondent banking relationships well enough for its liking, or update its software quick enough when AUSTRAC changed its descriptions of known methods used by criminals. AUSTRAC reckons this adversely affected Westpac’s monitoring for suspicious activity.
Poor outcomes, by design: Even if Westpac reported 23 million transactions on time, would it make any real difference?
AUSTRAC’s claims might be true. But what if Westpac had reported all 19.5 million transactions on time and kept the 3.5 million records the full seven years, leaving ‘only’ a few thousand breaches?
The reality is that only a tiny fraction of transactions is ever flagged as potentially suspicious, and a tinier number investigated.
Last year, according to AUSTRAC’s annual report, 155 million IFTI’s and 246,458 suspicious matter reports were lodged.
With false-positive rates often around 98% according to my sources — the proportion of flagged transactions found to have no issues — this means that Australian banks may have triggered more than 12 million investigation alerts before winnowing it down to some 246,000 reports.
Comparing this with results, AUSTRAC’s annual report says that its joint agency taskforce made 10 arrests involving 163 bank transactions, and recovered A$29.5 million.
(There were probably other arrests, because agencies in Australia and overseas use AUSTRAC data. For instance, AUSTRAC’s Fintel Alliance, a group of public and private sector agencies, including Westpac, “contributed” to 108 arrests and the closure of 90 accounts, and “helped” identify 87 potential victims, according to its annual report).
It’s impossible to pinpoint exactly, but AUSTRAC investigates a minuscule proportion of reported transactions. Even fewer involve any proven criminal activity, and fewer still are prosecuted.
This means that it’s likely that if Westpac filed the 19.5 million reports on time and kept the other 3.5 million as long as it should have, only a few, if any, would have led to the prosecution of offenders using Westpac accounts. (Although with hindsight and a multi-million dollar litigation budget it’s always easier to find more afterwards).
So, despite the clickbait of “23 million breaches”, and the risk that one of Westpac’s correspondent banks might have let dodgy transactions through, the crux of much of AUSTRACs complaint lies in alleged failures that might have allowed criminals, including sex offenders, not to be spotted earlier.
This universal requirement to report ‘suspicious’ activities lies at the heart of the modern anti-money laundering system, and the Westpac case helps illustrate why standardized reporting requirements designed like a giant stack of colanders to catch water are woefully inadequate in stopping crime.
Reporting ‘suspicious’ transactions no panacea
Not reporting ‘suspicious’ transactions can be serious, and explains the rationale for anti-money laundering laws to detect and prevent serious profit-motivated crime; and if sifting through millions of transactions is what it takes, it would be worth it.
The trouble is, it sounds fine in theory, but doesn’t work so well in practice. The system generates prodigious data, yet almost none points to crime. Instead, it creates a theoretical possibility of finding a proverbial needle in a continent of haystacks.
Don’t get me wrong. Suspicious transaction reports do trigger investigations, offenders are arrested, and assets seized. The system is designed to catch some criminals. But it has almost no impact on criminal finances or serious profit-motivated crime, including sexual exploitation.
For example, in 2011, the United Nations estimated that just 0.2% of the proceeds of crime are seized. My update of the UN’s estimate (in peer-reviewed research soon to be published) suggests that the global figure might be between 0.02% (one-fiftieth of one percent) and 0.1% (one-tenth of one percent). Other research, albeit with poor data and a methodology likely overstating results, suggests that Australia’s recovery rate might be 0.38%. (Other jurisdictions in that study ranged between 0.1% and 1.65%).
However, despite decades of poor results, anti-money laundering ratings data remain bizarrely opaque, authorities seldom perform rigorous cost/benefit analyses, and official estimates are notoriously inaccurate, so these figures are best seen only as general indicators of the scale of the problem persistently unaddressed. The take-out message is simple, if stark: The modern anti-money laundering movement finds some criminals but is terrible at finding enough to have any real impact on crime.
Banks are a much easier target for regulators.
But, you might say (as Australia’s Home Affairs Minister Peter Dutton did), Westpac gave “a free pass to pedophiles”.
That would be bad, obviously. But let’s not conflate “23 million breaches” with the relevant numbers.
All up, AUSTRAC alleges 3,057 low-value transactions consistent with known patterns indicative of child exploitation payments made by 12 Westpac customers to countries with known risks. (With just under $498,000 in total, the average payment was $163, and for each of the 12 customers averaged between $43 and $333. Customer 12 had a prior conviction for child exploitation offences, and allegedly sent $2,612 in 10 payments).
Westpac says that it filed suspicious matter reports for all 12 customers. AUSTRAC says that it should have done so sooner.
Consistently ineffective: 12 potential cases allegedly missed, tens of thousands go undetected
For Westpac and AUSTRAC alike, hindsight offers its usual clarity. But if Westpac had reported those 12 transactions earlier, authorities might have flagged some for investigation. Or not.
Twelve cases allegedly facilitating payments enabling child exploitation is bad, and Westpac should face consequences if it lodged reports late. If the bank shirked its responsibilities, penalties should be significant. But this claim highlights other important issues, and why thousands of similar cases go undetected.
Some of the problems with the modern anti-money laundering experiment lie in three words I bet you didn’t notice a few paragraphs ago. The sentence beginning “All up” sounds reasonable, and damning. But, examining some of the industry’s weasel words, we start to see why the system is so ineffective.
The trouble with looking for transfers “consistent” with “known” patterns “indicative” of child exploitation payments to countries with “known” risks is that countless legitimate payments exhibit similar features, and AUSTRAC’s checklists (known as typologies) don’t pinpoint criminal activity.
For example, if by some happenstance South East Asia’s sex-trafficking kingpins are all sitting in section E of the VIP area in the sports stadium at Ciudad de Victoria, 26km north of Manila, 6,300km north west of Sydney, regulatory ‘typologies’ are like telling bank investigators to “look North, or thereabouts, a few thousand miles, maybe.” (“And if you don’t report every instance matching this description, we’ll punish you.”)
This is a classic needle in a haystack problem. But rather than develop better ways to find the ‘needles’ of criminal activity, prescriptive regulations and checklists (“Philippines” is on such a list, clogging the system with millions of legitimate transactions rather than just the ones that matter), and the risk of massive penalties, forces behavior often making it less likely to detect and prevent the awful crime that AUSTRAC (rightly) complains about.
Good intentions and poorly designed incentives
Well-meaning intent — to detect money laundering and help prevent serious profit-motivated crime — is a good thing. But, well designed incentives that actually help achieve those objectives is better.
AUSTRAC’s claim against Westpac illustrates some of the misaligned design elements baked into the modern anti-money laundering experiment.
One is that banks have little incentive to figure out better ways to find the proverbial ‘needles’ pointing to serious crime. In my experience, bank compliance professionals are passionate about stopping crime. Many do much more than ‘just comply’, but banks face an impossible dilemma. If they fully initiate systems better able to find criminal indicators in vast haystacks of legitimate financial transactions (and AUSTRAC’s FinTel Alliance helps with this, a little), banks risk prosecution for not reporting all transactions “consistent” with “known” patterns of payment to “known” risk countries. Even if they hand over a stack of criminal ‘needles’ on a silver platter, any still remaining in haystacks pose a grave risk. Under the current system, banks must still deliver the whole field of haystacks, inundating the system with poor intelligence; or face crippling consequences.
Nor do misaligned incentives affect only banks. Politicians have other reasons to implement anti-money laundering laws. Failure to do so, whether or not the laws work, risks affecting their country’s access to the international financial system. Nor do politicians face much pressure from voters. The public has been sold on the myths that money laundering is complex, best left to experts, that blame rests mostly with banks, and that ‘more regulation’ is the answer to just about every problem.
Even when banks are at fault, important issues remain hidden in that simple yet deeply flawed narrative. For example, the public has no idea that the modern anti-money laundering system has almost zero impact on crime. Nor that the huge expense of the system is incurred by legitimate businesses (in compliance costs) and passed on to all of us — in higher fees and taxes.
Some regulators have quietly begun to agitate for change, but many remain steeped in a shared belief system and specialist lexicon, strengthened by a constant stream of in-group conferences, three massive global gatherings each year, and a deep sense of camaraderie ‘fighting the good fight’ against money laundering. When they don’t even recognize a problem, there’s no incentive to change.
However, even regulators who admit privately that they want to deliver better outcomes also face warped incentives. The universal template shaping legislative frameworks forces regulators to make firms undertake mandated compliance activities, irrespective any impact on crime.
Compliance matters, not catching criminals
Of course, regulators should investigate regulatory breaches, but that doesn’t mean they should ignore consequences.
No-one is taking too seriously bizarre elements in Australian law that penalties of $19–21 million per breach could add up to A$391–483 trillion (US$269–333 trillion) for Westpac, more than three times global GDP of US$86 trillion, but commentators still anticipate penalties of a billion dollars or more — so AUSTRAC’s claim has already delivered another reminder that ‘tick-the-box’ compliance matters. Catching criminals, not so much.
That’s because if Westpac reported every transaction it should have filed automatically, and every transaction matching approved descriptions of known patterns (and did both on time, kept the records the right time, and updated its software faster), the bank would have been in the clear — and AUSTRAC would still be just as busy not finding enough criminals to make a difference on crime.
If Westpac filed the reports it was meant to, the bank would have been as untroubled by anti-money laundering laws as most large-scale criminal enterprises, almost completely untouched by what I’ve been quoted in US Senate testimony and described in a research paper (with more details in a forthcoming paper) as perhaps the least effective anti-crime measure, anywhere, ever.
So, what does success look like?
My specialty is policy effectiveness and outcomes. In the anti-money laundering context, this means not just asking if we have laws, if they meet standards, or even if firms comply with them (which is where the current system mostly stops).
For effectiveness and outcomes, however, a key question is, do the rules work? (And, if not, what will work better?)
If some of the 12 people allegedly sending payments to porn sites or sex traffickers are found to have engaged in criminal behaviour, a few of them might be locked up. That’s a good thing. We might also get some perverse pleasure when governments spend millions of dollars penalizing banks billions of dollars. But, even aside from the fact that we all end up paying for it, the real tragedy is the harm we stop. Almost none.
When ‘success’ is seen from a regulatory compliance standpoint (notching up record penalties against banks), and failure is seen only by looking at the whole system (and its puny impact on serious crime), opposing voices will keep talking past each other, and we’re stuck with the same lousy results.
The sad reality is that three decades of prodigious effort and trillions of dollars spent on the ‘war’ against money laundering has resulted in a state of equilibrium: for banks (every few months, another will be prosecuted), for the media (gleefully reporting each new scandal), for regulators (proving their ‘busyness’ rather than any meaningful impact), and for the compliance industry — trading on fear stoked by regulatory failure baked into the system.
It’s business as usual for criminals too, where the anti-money laundering movement hardly even taxes crime. When criminals keep up to 99.9% of the earnings from misery, the anti-money laundering movement scarcely has the impact of a rounding error on criminal accounts.
So, what’s the solution?
Every ‘strategic’ review so far has figured out better ways to do what we’re already doing. Rather than constantly sweat the 0.1% impact achieved in three decades, here’s a novel idea. Let’s use outcomes science to develop ways to flip from the 0.1% impact on crime in “known” areas already done well, into the 99.9% zone where most criminals actually operate. Law enforcement agencies often think like this already. The regulatory system needs to catch up, to turn the trickle of cases it hands over to police into a flood.
However, absent political vision (or voter pressure) for better outcomes, and with regulators’ predilection pursuing banks to ‘prove’ their ‘success’, and with banks constantly responding to crises and ever-expanding regulations, there’s little pause, or inclination, to build a case proving what works.
In the meantime, the system remains designed as it was 30 years’ ago, the other way around. Facing massive penalties for not ticking boxes that don’t prevent crime, it’s unsurprising when banks respond by convening review panels to assess governance arrangements, appoint consultants to review processes, and hire thousands more compliance staff to protect themselves from regulators — and more diligently tick more boxes not preventing crime.
What do you think? What’s missing, or just plain wrong?
Comment, share, connect. Join Medium (it’s free) to follow and be notified about new articles.