The recent enforcement actions by Austrac and APRA against the Bank of Queensland Limited (BoQ) and the BoQ Group in the form of separate enforceable undertakings is a clear example of how the two regulators work together in relation to APRA-regulated financial service organisations.
Although the Memorandum of Understanding between APRA and Austrac is not public, Austrac’s CEO said that the two regulators had ensured the other had visibility of the progress of each of their actions against BoQ, as they worked in parallel on their separate investigations. APRA’s media release observed that APRA and AUSTRAC have worked closely together to ensure that their respective actions are appropriately co-ordinated and avoid unnecessary duplication.
Austrac
AUSTRAC has accepted an Enforceable Undertaking from the Bank of Queensland Limited (BoQ) to improve its compliance with Australia’s anti-money laundering and counter-terrorism financing (AML/CTF) laws.
The action follows investigations by AUSTRAC including conducting a compliance assessment in 2018 and a follow-up compliance inspection in June 2022.
Austrac’s 2022 feedback to BoQ was grouped under four key themes, being:
(a) Applicable Customer Identification Procedures. Having reviewed a sample of customer files, AUSTRAC identified potential non-compliance with the majority of files, including, among other things, instances where Bank of Queensland mischaracterised customer types and/or failed to address discrepancies.
(b) Enhanced Customer Due Diligence. AUSTRAC identified non-compliance in respect of BOQ’s ECDD program, including a failure to undertake appropriate measures when conducting ECDD.
(c) ML/TF Risk Assessment. AUSTRAC considered that Bank of Queensland’s approach to customer risk assessment and its methodology for determining customer risk required strengthening to ensure that Bank of Queensland was able to effectively identify, mitigate and manage the risks posed by its customers.
(d) Governance and Assurance. AUSTRAC found issues with Bank of Queensland’s remediation of customer files. In particular, AUSTRAC found a significantly higher volume of ACIP errors than that found by Bank of Queensland’s assurance processes. AUSTRAC was concerned that these issues, among others, suggested that Bank of Queensland’s board and senior management may not have had appropriate ongoing oversight of the systemic, long-term nature of these concerns.
The enforceable undertaking binds BoQ to an ongoing remedial action plan to improve its AML/CTF program, which AUSTRAC will monitor to ensure it is undertaken within agreed timeframes. As part of the enforceable undertaking, BoQ will engage an external auditor who will report back to AUSTRAC.
APRA
The Australian Prudential Regulation Authority (APRA) has agreed to a court-enforceable undertaking (CEU) from Bank of Queensland Limited (BOQ) acknowledging its past risk management and risk culture weaknesses and committing to rectify these serious issues.
The CEU follows significant breaches of APRA’s prudential standards in 2022 and 2023 relating to Liquidity, Outsourcing and Business Continuity Management which BoQ self-reported, and APRA’s prudential review into BOQ’s operational risk, compliance and risk culture. The CEU also incorporates the findings of an independent report on the root causes of these issues, which was completed at APRA’s request in April 2023.
APRA was concerned that Underlying Weaknesses in risk management practices, controls, systems, governance and risk culture have allowed, and may, if not addressed, allow further, significant prudential issues to arise.
In addition to a remediation action plan, APRA will require BOQ to hold an operational risk capital add-on of $50 million to take effect from 30 May 2023. The capital add-on will remain in place until such time as BOQ has delivered the remedial action plan under the CEU to APRA’s satisfaction.
The Prudential Review and the Root Cause Analysis Report in relation to the Underlying Weaknesses, confirmed that:
a. the design and operation of BOQ’s Risk Management Framework was insufficient for a bank of BOQ’s size and complexity. This was partly due to inadequate controls and over-reliance on manual controls;
b. BOQ was not able to sufficiently monitor risks, controls and obligations on an ‘end-to-end’ basis across the business, and it was unable to accurately report on and monitor non-financial risk;
c. BOQ’s ‘three lines of defence’ operating model was inadequate, with a low level of assurance provided by the second and third-line functions;
d. BOQ identified gaps in its risk culture in 2016, 2018, 2020 and 2022. However, BOQ’s risk culture remained immature and BOQ did not prioritise risk culture uplift sufficiently over that time;
e. BOQ lacked risk capability, experience and capacity to embed sustainable changes to remedy the Underlying Weaknesses;
f. reporting to the BOQ Board and to Board committees was overly positive and failed to highlight material issues. This impacted the BOQ Board’s ability to oversee and make sufficiently informed decisions on risks;
g. BOQ did not sufficiently engage with regulators when heightened risks or significant issues arose; and
h. BOQ’s performance and consequence management did not adequately hold BOQ’s leadership to account where risks and issues had not been adequately addressed.
If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.
Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.