Archive for November, 2019

Westpac and the “no-return” costs of compliance with regulations.

November 26, 2019

The problems resulting from the profit motive clashing with popular demand for governments to catch those doing wrong, and human behaviour stirring the pot: all the way to public accusations of failing to report child pornography transactions.

Westpac’s current troubles go back to the 1990s, when they had outsourced their payment infotech to IBM. In the early 2000s they were starting to move it back, and fighting public perception that CBA was ahead in the data handling game.

2006, the banks were warned of new rules on tracking transactions coming into effect in 2010. The cost of this tracking falls on the banks, with no perceived return, so when implementation costs were estimated as small the execs didn’t question good news when setting budgets. Management hates “no-return” expenditure.

The project ran into problems and coincided with cost (staff) cuts, which saw experienced IT staff move out after hastily training their replacements. Things like moving from bank staff filling out paper forms shifting to staff filling out online forms (guess who had to design them) didn’t help. Management didn’t know enough to require and fund development of automated tracking of as much of the data as possible. Humans.

Using the internationally agreed SWIFT costs a little per transfer, and using outside systems allowed a shuffle which tracked most of the legally required data at a lower cost … profit motive. The IT area didn’t focus on the need for info for Government demands, and was inevitably tightly scheduled on higher-ups required tasks, so didn’t go into the mare’s nest of the data handling (imagine IBM’s 1990 batch-based code adapted by departed staff, being worked on by next gen programmers working in on-demand data-use environment) to make sure it could be hauled out. Humans.

2011 and 2012, data required to be held for 7 years was purged, involving over 1.5 million transactions. Because of “poor oversight of data retention systems. ” Humans.

2013, Austrac warned some executive level type at Westpac that there were problems, particularly with small transactions to geographic areas of risk. As with the Challenger disaster, it seems this warning did not go up the line to those who could order action, or was seen as low priority by them, or given a tiny budget. Humans again.

2016, Austrack briefed senior execs, and specifically mentioned the Litepay system was at risk.

2017 Many legacy systems and products had simply been shut during the past years, possibly unable to be made compliant.  More work may be needed to investigate whether relevant data is there.

2018, Westpac got monotoring as required on Litepay, but overall systems still not up to scratch

Now consider: is the money spent on compliance no-return? Boards should consider the benefit of avoiding the future cost to reputation, legal cost, Government regulator penalties, IT overtime, and executive weeks spent in disaster control rather than improving a healthy organization.