EX-1 2 tm2031386d3_ex1.htm EXHIBIT 1

Exhibit 1

ASX Release 24 SEPTEMBER 2020 Level 18, 275 Kent Street Sydney, NSW, 2000 Westpac and AUSTRAC reach agreement on AML/CTF civil proceedings subject to Federal Court approval Westpac Group has today announced it has reached an agreement with AUSTRAC to resolve the civil proceedings commenced in the Federal Court of Australia on 20 November 2019. Under the agreement, the parties have today, agreed to: •file with the Federal Court a Statement of Agreed Facts and Admissions •recommend to the Court that Westpac pay a civil penalty of $1.3 billion in relation to admitted contraventions of the Anti-Money Laundering and Counter-Terrorism and Financing Act 2006 (AML/CTF Act). As part of the agreement, Westpac has admitted to additional contraventions that are outlined in the amended statement of claim, and which contribute to the agreed penalty. Westpac Group Chief Executive Officer, Peter King, said: “I would like to apologise sincerely for the Bank’s failings. “We are committed to fixing the issues to ensure that these mistakes do not happen again. This has been my number one priority. We have also closed down relevant products and reported all relevant historical transactions. “This agreement is an important step in the court process. It provides more certainty to all our stakeholders as we continue to implement the measures in our Response Plan and complete the implementation of recommendations from the reviews that have been conducted,” he said. In June, Westpac released the findings from its investigation into its AML/CTF compliance issues as well as the Advisory Panel Report on governance and accountability.

“Westpac is taking action to address the areas where we have failed and are implementing all the recommendations of the Advisory Panel Report,” Mr King said. “We are strengthening our financial crime capability. We acknowledge the important role Westpac must play in protecting the integrity of the financial system. As part of this process we are improving our end-to-end financial crime risk management processes and have established clearer accountabilities for AML/CTF compliance. “Westpac has made substantial investments to strengthen its systems, processes, and controls to detect and report suspicious transactions. “We have recruited about 200 financial crime people to the group, created a new Group Executive position directly responsible for improving our financial crime capability, and established a new Board Legal, Regulatory and Compliance sub-committee,” he said. “We have also undertaken a reassessment of our culture, governance and accountability and are embarking on a comprehensive, multi-year program to strengthen how we manage non-financial risk across the Group. This includes a significant investment in training to support our people to better identify, assess and manage risks. “We are determined to continually lift our financial crime standards, comply with our obligations and uphold our customer, community, and regulatory expectations,” Mr King said. Westpac in its First Half 2020 results provided for an estimated penalty of $900 million, and associated costs at which time the bank noted the proceedings were complex and ongoing, and the ultimate penalty following either a settlement or a hearing, and in each case as determined by the Court may be materially higher or lower than the amount provided for. The penalty that Westpac and AUSTRAC will recommend to the Court reflects the outcome of ongoing review and dialogue with AUSTRAC. Westpac will increase the provision in its accounts for the year ending 30 September 2020 by a further $404 million to account for the higher estimated penalty and for additional costs, including AUSTRAC’s legal costs of $3.75 million. The Statement of Agreed Facts and Admissions is attached. For further information: David LordingAndrew Bowden Group Head of Media RelationsHead of Investor Relations 0419 683 411(02) 82534008 or 0438 284 863 This document has been authorised for release by Tim Hartin, General Manager & Company Secretary.

page 2

Federal Court of Australia NO. NSD 1914 of 2019 District Registry: New South Wales Division: Commercial and Corporations CHIEF EXECUTIVE OFFICER OF THE AUSTRALIAN TRANSACTION REPORTS AND ANALYSIS CENTRE Applicant WESTPAC BANKING CORPORATION ACN 007 457 141 Respondent A. INTRODUCTION 1This Statement of Agreed Facts and Admissions (SAFA) is made for the purposes of section 191 of the Evidence Act 1995 (Cth) (Evidence Act) jointly by the Applicant (the Chief Executive Officer (CEO) of the Australian Transaction Reports and Analysis Centre (AUSTRAC)), and the Respondent, Westpac Banking Corporation (Westpac). 2The SAFA relates to Proceedings NSD 1914/2019 commenced by the AUSTRAC CEO against Westpac on 20 November 2019 (Proceedings). By the Proceedings, the AUSTRAC CEO has sought declarations that Westpac contravened particular provisions of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), and orders that it pay pecuniary penalties to the Commonwealth. 3This document identifies the facts relevant to the contraventions in the period 20 November 2013 to 20 November 2019 (the Relevant Period) admitted by Westpac for the purpose of the Proceedings. The facts agreed to, and the admissions made, are agreed to and made solely for the purpose of the Proceedings and do not constitute any admission outside of the Proceedings. 4 For the purposes of the Proceedings only, Westpac admits that it contravened sections 36(1), 45(2), 64(6) and 64(7)(f), 81, 98 and 115 of the AML/CTF Act in particular respects as set out in this SAFA. 5The parties have reached agreement as to the terms of relief to be sought from the Court to resolve the Proceedings. The parties acknowledge that, under section 175 of the AML/CTF Act, it is ultimately for the Court to determine whether Westpac contravened a civil penalty provision and the quantum of any pecuniary penalties that should be ordered. B. PARTIES AND BACKGROUND B.1 AUSTRAC 6The AUSTRAC CEO is appointed pursuant to section 211 of the AML/CTF Act. She is charged with enforcing compliance with the AML/CTF Act and subordinate legislation, including the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No.1) (AML/CTF Rules) and has brought the Proceedings in that capacity.

B.2 Westpac 7Westpac is a company incorporated in Australia and a person within the meaning of section 5 of the AML/CTF Act. It is, and was at all material times, a reporting entity within the meaning of section 5 of the AML/CTF Act and a provider of designated services to customers within the meaning of section 6 of the AML/CTF Act. 8At all material times, Westpac has been an Authorised Deposit-Taking Institution (ADI), being a corporation that is authorised under the Banking Act 1959 (Cth) (Banking Act) to carry on banking business in Australia. At all material times it has carried on activities or business through a permanent establishment in Australia for the purposes of the AML/CTF Act. 9Westpac is a provider of financial services, including retail, business and institutional banking and wealth management products and services. B.3 Correspondent banking 10Correspondent banking, while an essential part of the international financial system, involves higher money laundering and terrorism financing (ML/TF) risks associated with cross-border movements of funds, jurisdiction risk (including the risks of operating in certain foreign countries) and risks associated with the transparency of the identity and source of funds of customers of the correspondent banks. 11Throughout the Relevant Period, Westpac had a correspondent banking relationship (as defined under section 5 of the AML/CTF Act) with the parent entity of Bank A (Bank A Parent), a subsidiary of Bank G (Bank G Subsidiary), and Banks B, C, D, E, F, H, I, J, K, L, M, N, O and P set out in Confidential Annexure A to this SAFA (correspondent banks) because: (a)Westpac and each correspondent bank were both banks; (b) Westpac carried out an activity or business at or through a permanent establishment in Australia and the correspondent bank carried out an activity at or through a permanent establishment in another country; (c)the relationship related, in whole or in part, to those permanent establishments; (d)the relationship was not of a kind specified in the AML/CTF Rules: and (e)the relationship involved a vostro account, being an account Westpac held for the correspondent bank in Australian dollars for the purpose of facilitating the settlement of international transactions on behalf of the correspondent bank's customers. 12Westpac also had non-correspondent banking relationships with Banks A and G. The identity of these banks is set out in Confidential Annexure A. 13At various points throughout the Relevant Period, Westpac had arrangements with each of the correspondent banks to allow for the international transfer of funds by overseas and domestic customers of the correspondent banks to Australian beneficiaries, as well as beneficiaries in other jurisdictions. 14Those arrangements varied as between the correspondent banks, but included those described in sections B.4 and B.5 respectively below, being the Direct Model Australasian Cash Management arrangements and off-system bank state branch (OSBSB) arrangements. 15Westpac's correspondent banking relationships with Banks B and C were also relevant to the LitePay product, described in section C.1.7 below. page 4

B.4 Direct Model Australasian Cash Management arrangements 16Throughout the Relevant Period, Westpac had in place arrangements with a number of correspondent banks that were provided under what were known as the Australasian Cash Management (ACM) arrangements. The ACM arrangements provided by Westpac to correspondent banks involved varied models and offerings, variously referred to as ACM1, ACM2 and ACM3, among other names. For the purposes of these Proceeding, the key ACM arrangements were those offered to a number of correspondent banks, including to Banks A to F, which were known as the “Direct Model” arrangements (the Direct Model ACM arrangements) and to Banks B and C which were known as the “Referral Model” arrangements (the Referral Model ACM arrangements). For Banks A, C, D, E and F, the Direct Model ACM arrangements were part of what was referred to within Westpac as the ACM1 offering, whereas the Direct Model ACM arrangement with Bank B was referred to within Westpac as the Bank B Direct Model Arrangement. The Referral Model ACM arrangements with Banks B and C were referred to within Westpac as the ACM2 arrangements. 17These Direct Model ACM arrangements varied as between the correspondent banks, but generally allowed the correspondent banks to use Westpac’s infrastructure to process payments for their overseas and domestic customers through Westpac's direct access to the low value clearing network in Australia and New Zealand. 18The functionality of the Direct Model ACM arrangements (particularly the ability to make recurring, low value payments from across the world) meant that they were an attractive solution for governments and corporate clients of correspondent banks. The Direct Model ACM arrangements enabled customers (payers) of correspondent banks to make low value as well as high value payments to multiple beneficiaries (payees) in Australia or New Zealand through a single communication channel. The sending of structured files is generally a more efficient and lower cost solution for government and other clients of correspondent banks than sending standard Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment messages that involve a single payer and a single payee. 19Payment instructions under the Direct Model ACM arrangements were generally initiated by the customer of the correspondent bank using the correspondent bank’s platform. The correspondent bank then formatted the payment instructions into an agreed structured data file format (which could include multiple instructions) and transmitted that file to Westpac. Westpac referred to these instructions as 'batched files', 'structured data files' or 'structured files'. For the purposes of this SAFA, they are referred to as Structured Files. 20The majority of instructions included in Structured Files received through the Direct Model ACM arrangements were for payments to be processed through the Direct Entry System (Direct Entry), a domestic payments system administered by the Australian Payments Network Limited (AusPayNet). The ACM payment channel was initially developed to facilitate government pension payments. Over time, additional types of commercial payments were sent through this channel by Bank A, including payment aggregator transactions (i.e., a payment aggregator in the foreign country collecting payment instructions from multiple parties) and supplier payments (i.e., global companies sending multiple payments to multiple suppliers in Australia). 21Globally, most international transfers are sent as one-to-one payments (i.e. involve a single payer and a single payee) through the SWIFT network. These transfers must comply with the SWIFT

messaging format and SWIFT Guidelines, which outline mandated data fields. These data fields include certain data about the ordering customer, or payer, and about the payee. 22The Structured Files sent through the Direct Model ACM arrangements could contain multiple payment instructions and were sent to Westpac via SWIFT FileAct, which is a secure file transfer mechanism between correspondent banks designed and provided by SWIFT, or via a direct HTTP or SCP connection between the correspondent bank and Westpac. These file transfer mechanisms allow the transmission of non-SWIFT formatted content (containing less payment information than the standard SWIFT payment messages, such as MT103 payment messages). SWIFT FileAct was designed for, amongst other things, the transmission of payment instructions. 23Where instructions were sent through the Direct Model ACM arrangements, once received, Westpac loaded the Structured Files onto the Direct Entry or the Real Time Gross Settlement (RTGS) service, after which the funds were dispersed to the beneficiaries in accordance with the instructions contained in the Structured Files. Thereafter, the correspondent bank settled payment for the transfer of funds contained in the Structured Files through its corporate operating account with Westpac, save for Bank A, which settled payments for instructions in the Structured Files through a corporate operating account held with its affiliate entity. Each of these corporate operating accounts was a vostro account for the purposes of the AML/CTF Act and AML/CTF Rules. 24The Direct Model ACM arrangements involved the provision of designated services by Westpac to customers within the meaning of section 6(1) of the AML/CTF Act. 25The Referral Model ACM arrangements with Banks B and C generally involved a correspondent bank referring a customer to Westpac. Westpac would open an account in the name of the overseas customer or a related entity. Transactions on the Westpac account could be facilitated through the correspondent bank’s platform. Similar to the Direct Model ACM arrangements, the Referral Model ACM arrangements effected payments through Direct Entry, RTGS and Outgoing Telegraphic Transfer (OTT). 26The Referral Model ACM arrangements involved the provision of designated services by Westpac to customers within the meaning of section 6(1) of the AML/CTF Act. B.5 OSBSB arrangements B.5.1 The OSBSB arrangement with Bank B 27As noted above, the Direct Model ACM arrangement with Bank B was sometimes referred to as the Bank B Direct Model arrangement, the nature and operation of which is described immediately below. 28The Direct Model ACM arrangement with Bank B differed from the Direct Model ACM arrangements with Banks A, C, D, E and F in a number of respects, including that it allowed for 'outgoing' international funds transfer instructions (IFTIs) (i.e., instructions to send funds out of Australia) as well as 'incoming' IFTIs (i.e., instructions to send funds into Australia). For the purposes of this SAFA, the arrangement that allowed for Westpac to send outgoing IFTIs as part of the Direct Model ACM arrangement with Bank B is called the Bank B Outgoing IFTIs Arrangement. Further detail regarding the Bank B Outgoing IFTIs Arrangement is set out in paragraphs 36 to 40. 29For the Direct Model ACM arrangement with Bank B, Westpac provided Bank B with a corporate operating account comprising of a BSB and Account number (the Bank B Settlement Account). page 6

In addition, Westpac provided Bank B with an OSBSB and linked this OSBSB to the Bank B Settlement Account. Westpac registered the OSBSB with AusPayNet under the name of Bank B. The registration of the OSBSB and the name were published by AusPayNet in its BSB database. 30In its own books, Bank B created a number of sub-accounts. These sub-accounts were then provided with the OSBSB to Bank B's customers. Each customer had a different account number with the same OSBSB number. The settlement of funds upon receipt of a payment were to the Bank B Settlement Account. Each such sub-account mirrored an AUD account held by Bank B's customer with Bank B's Singapore branch (the Singapore Account). 31Bank B allocated each sub-account a reference number. For transfers into and out of the Bank B Settlement Account, the reference number allocated by Bank B served as the account number used to process the payment through the domestic Australian payment systems. The OSBSB was registered in the name of the correspondent bank using the Westpac brand BSB range formula and with Westpac registered as the financial institution. 32The OSBSB allocated to Bank B permitted it to create multiple sub-accounts and allocate each sub-account with a reference number which could be used as an account number for the purposes of transferring money to the OSBSB account through Direct Entry. As such, Bank B maintained customer accounts on its own ledgers using this OSBSB. Transfer instructions out of Bank B's Singapore Account – 'inward IFTIs' 33When a Bank B customer wished to transfer money out of their Singapore Account to an Australian payee, they could request that transfer by giving an instruction to Bank B in Singapore. Bank B's customer would instruct Bank B via the internet banking platform of Bank B. Bank B aggregated instructions received from its customers and provided them to Westpac in the form of a Structured File. 34Westpac processed the transfer instruction through the appropriate Australian domestic payment system (i.e. Direct Entry, RTGS or by issuing a bank cheque). 35Processing the transfer instruction through the Australian domestic payment system resulted in the transferred money being drawn from the Bank B Settlement Account. Bank B reduced the balance of the Singapore Account by a corresponding amount. Transfer instructions into Bank B's Singapore Account – the Bank B Outgoing IFTIs Arrangement 36As set out in paragraphs 28 to 32, the Direct Model ACM arrangement with Bank B allowed 'outgoing IFTIs', being transfers to the AUD account held by Bank B's customer with Bank B in Singapore. 37Money paid by a third party (i.e. a debtor of Bank B's customer) (the Bank B Customer Debtor) into the Bank B Settlement Account using the Australian domestic payment systems could then be transferred into the Singapore Account, via the Bank B Settlement Account. As with any bank account, the Bank B Customer Debtor could also deposit cash or cheque into the Bank B Settlement Account, at a Westpac branch. To make the payment, the Bank B Customer Debtor would use the OSBSB for the Bank B Settlement Account as the BSB number and the reference number for the sub-account. 38Westpac reported transfers to the Bank B Settlement Account to Bank B by sending an account statement in BAI2 Statement Format to Bank B (in Singapore). “BAI2 Statement Format” is a

standard format for account statements, to which Bank B requested minor changes for the purposes of the Bank B Outgoing IFTIs Arrangement. That account statement included the information required by Bank B to adjust the balance of the relevant Singapore Account to reflect the AUD amount of the money transferred. 39Bank B adjusted the balance of the Singapore Account to reflect transfers into the Bank B Settlement Account that correspond to the relevant reference number. Such transfers into the Bank B Settlement Account resulted in a balance adjustment to the corresponding Singapore Account. 40The OSBSB arrangements with Bank B described above involved the provision of designated services by Westpac to customers within the meaning of section 6(1) of the AML/CTF Act. In particular, transactions on the Bank B Settlement Accounts were designated services within the meaning of item 3, table 1 of section 6(1) of the AML/CTF Act. B.5.2 The OSBSB arrangement with Bank J 41Westpac provided Bank J Sydney branch with a corporate operating account (the Bank J Settlement Account). In addition, Westpac provided Bank J Sydney branch with an OSBSB. This OSBSB was registered by Westpac with AusPayNet and was published within the AusPayNet database. Bank J provided its customer with a unique account number for the OSBSB. Bank J’s parent entity, domiciled in an overseas jurisdiction, sent payments to the Bank J Sydney branch Settlement Account to make and receive international payments on behalf of its customers, although, on Westpac's review, only one instance has been identified of an international payment being made or received on behalf of Bank J Sydney branch's customers. 42The OSBSB allocated to Bank J permitted it to create multiple sub-accounts and allocate each sub-account with a reference number which could be used as an account number for the purposes of transferring money to the OSBSB account through Direct Entry. Bank J maintained customer accounts on its own ledgers using this OSBSB. 43A third party (i.e. a debtor of Bank J's customer) (the Bank J Customer Debtor) could transfer money from an Australian bank account into the Bank J Settlement Account, using the Australian domestic payment systems. As with any bank account, the Bank J Customer Debtor could also deposit cash or cheques into the Bank J Settlement Account, at a Westpac branch or IDM. For deposits other than through ATMs, to make the payment, the Bank J Customer Debtor would use the OSBSB for the Bank J Settlement Account as the BSB number and the reference number for the sub-account or the Bank J Settlement Account details. 44The OSBSB arrangements with Bank J described above involved the provision of designated services by Westpac to customers within the meaning of section 6(1) of the AML/CTF Act. In particular, transactions on the Bank J Settlement Account were designated services within the meaning of item 3, table 1 of section 6(1) of the AML/CTF Act. C. FACTS RELEVANT TO LIABILITY C.1 IFTI Reports – Contraventions of section 45 of the AML/CTF Act C.1.1The relevant IFTIs 45The admitted contraventions of section 45 of the AML/CTF Act concern certain IFTIs received or sent by Westpac under the following arrangements.

Incoming IFTIs (a)IFTIs received by Westpac from Banks A, B, C and D under the Direct Model ACM arrangements (the Bank A, B, C and D Incoming IFTIs). (b)IFTIs received by Westpac under arrangements with Ordering Institution A (the Ordering Institution A Incoming IFTIs). Outgoing IFTIs (c)IFTIs sent by Westpac under the Bank B Outgoing IFTIs Arrangement (the Bank B Outgoing IFTIs). (d)IFTIs sent by Westpac under LitePay arrangements with Banks B, C and Q (the LitePay Outgoing IFTIs). IFTIs without payer names (e)IFTIs received by Westpac from Banks A and F under the Direct Model ACM arrangements C.1.2Bank A, B, C and D Incoming IFTIs 46To the extent that Westpac was a recipient of an IFTI transmitted into Australia as described in item 2 of the table in section 46 of the AML/CTF Act (incoming IFTI), section 45(2) of the AML/CTF Act required Westpac, within 10 business days after the day on which the instruction was received by it, to give the AUSTRAC CEO a report about the instruction. That report was required, by section 45(3) of the AML/CTF Act, to be in the approved form and contain such information relating to the matter as was specified in the AML/CTF Rules. 47During the Relevant Period, Westpac received approximately 29.6 million incoming IFTIs. 48The following table sets out how many incoming IFTIs Westpac received from Banks A, B, C and D under the Direct Model ACM arrangements for the period from 5 November 2013 to 3 September 2018, and how many of these IFTIs were not reported within the required 10 business days (the Late Bank A, B, C and D Incoming IFTIs). 49The Bank A, B, C and D Incoming IFTIs were: (a)electronic funds transfer instructions for the purposes of section 8(1) of the AML/CTF Act in that: (i)the customer (the payer) instructed either Bank A, B, C or D (which were banks for the purposes of section 8(1)(c)(ii) of the AML/CTF Act) to transfer money controlled by the payer to a third person (the payee) on the basis that the page 9

transferred money would be made available to the payee by a beneficiary institution in Australia (which was either an ADI, bank, building society or credit union for the purposes of section 8(1)(d) of the AML/CTF Act); and (ii)the transfer instructions referred to in subparagraph (i) above were passed on wholly or partly by electronic means; and (b)accepted at or through a permanent establishment of one of Banks A, B, C or D in a foreign country. 50The transferred money relating to each of the Bank A, B, C and D Incoming IFTIs was made available to the payee at or through a permanent establishment of the beneficiary institution in Australia. 51By reason of the matters referred to in paragraphs 46 to 50 above, Westpac was required to give the AUSTRAC CEO a report of each of the Bank A, B, C and D Incoming IFTIs within 10 business days after the date each of these IFTIs was received. 52In the period from October 2018 to October 2019, Westpac gave the CEO of AUSTRAC reports of 19,428,039 Late Bank A, B, C and D Incoming IFTIs. Each of those reports was provided later than 10 business days after the date the IFTI was received by Westpac, as required by section 45(2) of the AML/CTF Act. C.1.3Reasons for failure to report: Banks A and B 53Pursuant to the staggered implementation timeline for the requirements introduced by the AML/CTF Act, reporting entities were required to implement IFTI reporting in accordance with the AML/CTF Act by 12 September 2010.1 54In order to comply with its obligations under the AML/CTF Act, including in relation to IFTI reporting, Westpac commenced a series of substantial projects involving changing and upgrading the relevant Westpac systems. 55Despite having intended to report IFTIs for both Bank A and Bank B from late 2011, this did not happen. From late 2011 Westpac proceeded on the misapprehension that the project to report IFTIs received as Structured Files (the Structured Files IFTI Implementation) had been successful, with IFTIs being reported for Bank A and Bank B. 56As set out in paragraphs 57 to 67 below, the failure to commence reporting IFTIs for the Direct Model ACM arrangements with Banks A and B was caused by a number of factors, including technological failures, uncertainty as to which Direct Model ACM arrangements were in scope for which Norkom Release (described further in paragraphs 64 to 66 below), insufficient post implementation review to confirm that all arrangements the subject of the Structured Files IFTI Implementation resulted in IFTIs being reported and an absence of appropriate end-to-end reconciliation, assurance and oversight processes for IFTI reporting. 57In order successfully to report Structured File IFTIs to the AUSTRAC CEO, various computer systems within Westpac, including the Qvalent, Westpac Integrated Banking System (WIBS), Sterling Integrator and Norkom/Detica systems, needed to be properly configured, as described immediately below. 1 The extension of the IFTI reporting requirement for reporting entities to 12 September 2010 followed the identification of issues by AUSTRAC during the transition testing phase, during which time it worked closely with the major reporting entities, including Westpac. page 10

58Qvalent and WIBS are systems through which Westpac receives payment instruction files from correspondent banks. Structured Files received from Bank A were received through Qvalent and passed to WIBS for processing. Structured Files received from Bank B were received through WIBS, not Qvalent. 59WIBS was a Westpac system that enabled customers to connect to Westpac using a variety of different connectivity methods (SWIFT FileAct, SFTP, FTP, HTTPS and XCOM) to send and receive data, including instructions relating to transfers into and out of the customer’s account and account statements. The files received by WIBS were processed within WIBS according to a configuration that was set in accordance with the arrangement with each Westpac customer. This configuration determined if the files required transformation (from one format to another), which payment system they should be passed to for processing, and any other customer-specific processing rules. WIBS connectivity solutions were used by each correspondent bank using the Direct Model ACM arrangements, including Banks A and B. Structured Files received through WIBS were then passed to other systems to effect payment and file necessary regulatory reports (including IFTIs). 60Sterling Integrator was an intermediate system that transferred files between systems within Westpac. 61Norkom (subsequently called Detica) was Westpac's financial crime detection, case management and regulatory reporting information technology system, developed by Norkom and provided by vendor BAE Systems. The Detica system was used as the primary tool for customer screening (in respect of terrorism financing, sanctions and politically exposed person lists), customer risk assessments, sanctions payments screening and transaction monitoring alert workflow and case management, as well as facilitating the reporting of suspicious matters, threshold transactions and IFTIs. 62Where all systems were properly configured, Structured Files were received by Westpac via WIBS, converted to an IFTI reporting format, passed to Norkom/Detica using Sterling Integrator and then processed into an IFTI report in the specified format to be uploaded to AUSTRAC. 63Over the course of the projects referred to in paragraph 54 above, it became evident to Westpac that particular issues were associated with reporting IFTIs for the Structured Files, and that Westpac would not meet the 12 September 2010 timeframe (or subsequently agreed timeframes) for the completion of the Structured Files IFTI Implementation (including for those IFTIs received through the ACM arrangements in place with correspondent banks). Westpac was in regular correspondence with AUSTRAC in late 2010 and early 2011 regarding the timing of the Structured Files IFTI Implementation. 64Following engagement with AUSTRAC with respect to the delay, Westpac commenced reporting IFTIs received in Structured Files pursuant to a series of “Norkom Releases”. 65The relevant “Norkom Releases” were as follows: (a)In November 2010, pursuant to the November 2010 Norkom Release, Westpac commenced reporting IFTIs received through the SWIFT network. This reporting did not include Structured Files. (b)Reporting of Structured Files was intended to commence in March 2011. However, due to technical errors identified in the testing process, the reporting of IFTIs for Structured page 11

Files received through Westpac's ACM arrangements was rescheduled to August 2011, to be effected by the August 2011 Norkom Release. (c)Before the August 2011 Norkom Release, in July 2011, Westpac implemented a process known as the “July 2011 WIBS ‘go live’”. The “July 2011 WIBS ‘go live'” process aimed to enable the reporting of IFTIs received through the ACM arrangements. However, to result in IFTIs being reported, the changes to be implemented by the “July 2011 WIBS ‘go live’” process required the implementation of an IFTI converter correctly configured for the Structured File formats used by each of the correspondent banks. That in turn required the correct configuration of WIBS, the Sterling Integrator and Detica. In particular: (i)WIBS would receive and process Structured Files before passing them to other systems to effect payment and file necessary regulatory reports (including IFTI reports). The implementation and correct configuration of an IFTI converter was an essential part of the process. These IFTI converters read the data contained in each Structured File and converted the data in each of the Structured Files into the format required by the Detica system. A separate IFTI converter was required for each ACM arrangement to reflect the differences in the Structured Files received. Those IFTI converters then placed a copy of the reformatted IFTI data in a dedicated “IFTI directory” within WIBS; and (ii)only if the IFTI data was correctly configured could the Sterling Integrator transfer this data to the Detica system to enable it to be reported to AUSTRAC in the necessary IFTI reports. As part of the "July 2011 WIBS 'go live'", IFTI converters were implemented and correctly configured for a number of correspondent banks which were at that time using the Direct Model ACM arrangements (including Banks D, E and F). This led to the IFTIs being reported for these correspondent banks following the August 2011 Norkom Release. (d)A further release occurred in November 2011 (the November 2011 Norkom Release). 66The non-reporting of IFTIs for the Direct Model ACM arrangements with Banks A and B was caused by a number of factors, including technological failures and uncertainty as to which Direct Model ACM arrangements were in scope for which Norkom Release, and insufficient post implementation review to confirm that all arrangements the subject of the Structured Files IFTI Implementation resulted in IFTIs being reported. The following factors are likely to have caused or contributed to the issue of IFTI reporting for the Direct Model ACM arrangements with Banks A and B not commencing in 2011: (a)Each of the Bank A and Bank B arrangements was included as either in or out of scope for particular Norkom Releases (as distinct from being out of scope entirely or not mentioned at all), and at least some work was undertaken towards reporting IFTIs for these arrangements. (b)There was some uncertainty regarding whether Bank A was in scope for the August 2011 Norkom Release. Ultimately, however, it appears not to have been included within scope. Notwithstanding this, following the August 2011 Norkom Release, relevant personnel within Westpac at the time incorrectly understood that the IFTI reporting in relation to Bank A had in fact commenced and that thereafter the only item in the Structured Files implementation process remaining was to ensure that Bank B was in fact included in the November 2011 Norkom Release. page 12

(c)Bank B was in scope for the November 2011 Norkom Release, following which relevant personnel within Westpac incorrectly understood that the IFTI reporting in relation to Bank B had in fact commenced. (d)Between August 2011 and August 2012, approximately fifteen members of the WIBS team left Westpac to work for ANZ, which may have contributed to a loss of corporate knowledge of the complexity of the relevant arrangements and to an insufficient post-implementation process to verify that incoming IFTIs for Banks A and B were being reported to AUSTRAC. 67Westpac did not have appropriate end-to-end reconciliation, assurance and oversight processes in place to identify the ongoing IFTI reporting failures relating to the Direct Model ACM arrangements with Banks A and B. 68The issues surrounding Westpac not identifying the Bank A and Bank B IFTI non-reporting and bringing it to the attention of senior management until around mid-2018 are set out in section E.1.1, commencing at paragraph 318 below. C.1.4Reasons for failure to report: Banks C and D 69As set out in paragraph 48 above, over 99.9% of the IFTIs received from Bank C and over 97% of the IFTIs received from Bank D between 5 November 2013 and 3 September 2018 were reported to AUSTRAC within 10 business days of Westpac receiving the relevant IFTI. This is because, unlike for Bank A and Bank B, IFTI reporting commenced for the Direct Model ACM arrangements: (a)with Bank C: upon the commencement of the Direct Model ACM arrangement with Bank C in 2016; and (b)with Bank D: in 2011 (as part of the August 2011 Norkom Release). 70Once the Group MLRO became aware of the IFTI non-reporting for the Direct Model ACM arrangements with Bank A and Bank B in or around May 2018 (as detailed in section E.1.1 below), Westpac commenced an extensive reconciliation and validation exercise (involving KPMG) in relation to IFTI reporting for the ACM arrangements with a number of correspondent banks, including Banks C and D (the IFTI Reconciliation and Verification Project). 71Through the IFTI Reconciliation and Verification Project, Westpac identified and promptly informed AUSTRAC that it had identified isolated instances of non-reporting for some other arrangements, including the Direct Model ACM arrangements with Banks C and D. The reasons for these isolated instances of non-reporting are set out below. Bank C 72The reason for the non-reporting of 37 incoming IFTIs for Bank C (which related to six Structured Files) in accordance with section 45(2) of the AML/CTF Act was a programming error in the core scheduling engine at Qvalent, which prevented the IFTI reporting process from running to completion on non-banking days, and also for Structured Files received on non-banking days. This issue was not identified at the time as affecting the IFTI reporting process. The programming error affected reporting for six Structured Files received from Bank C between March and December 2017.

73Westpac did not have appropriate end-to-end reconciliation, assurance and oversight processes in place to identify the IFTI reporting failures relating to the Direct Model ACM arrangements with Bank C. 74The non-reporting of the incoming IFTIs for Bank C was first identified on 27 August 2018 as part of the IFTI Reconciliation and Verification Project and was disclosed to AUSTRAC on 17 October 2018. The non-reported IFTIs were provided to AUSTRAC on 22 October 2018. Bank D 75The reasons for to the non-reporting of 13,239 incoming IFTIs for Bank D (which related to 25 Structured Files) in accordance with section 45(2) of the AML/CTF Act were as follows: (a) For 24 of the 25 Structured Files, the non-reporting was due to the same programming error in the core scheduling engine at Qvalent described at paragraph 72 above, which affected reporting for 24 Structured Files received from Bank D between October 2017 and January 2018. (b)For the remaining Structured File (received on 15 December 2014), Westpac has been unable to identify the root cause of the non-reporting. System logs indicate that there was a delay in the generation of overnight IFTI reporting files, which led to those files being supplied from WIBS to the Detica system after midnight. This delay resulted in two sets of IFTI files being received by Detica on the same date. This may have caused the non-reporting of the IFTIs received on 15 December 2014. 76Westpac did not have appropriate end-to-end reconciliation, assurance and oversight processes in place to identify the IFTI reporting failures relating to the Direct Model ACM arrangements with Bank D. 77The non-reporting of the incoming IFTIs for Bank D was first identified by Westpac on 27 August 2018 as part of the IFTI Reconciliation and Verification Project and was disclosed to AUSTRAC on 17 October 2018. The non-reported IFTIs were provided to AUSTRAC between 22 October and 21 November 2018. C.1.5Ordering Institution A Incoming IFTIs 78In addition to its relationships with the correspondent banks described above, since 1 October 2016 Westpac had an arrangement with Ordering Institution A, the identity of which is set out in Confidential Annexure A to this SAFA. Ordering Institution A was an ordering institution for the purposes of section 8 of the AML/CTF Act. The arrangement between Westpac and Ordering Institution A allowed for the transfer of international payments by overseas customers of Ordering Institution A to Australian beneficiaries. 79Westpac’s relationship with Ordering Institution A arose out of its relationship with X Corporation (the identity of which is also set out in Confidential Annexure A to this SAFA), which commenced on 16 November 2011. X Corporation was acquired by Ordering Institution A with the transaction completing on 12 November 2015. The relevant arrangement with Ordering Institution A commenced on 1 October 2016. 80Through that arrangement: (a)overseas customers of Ordering Institution A initiated requests for payment instructions through an application or desktop interface;

(b)Ordering Institution A received those payment instructions in the United States of America; (c)Ordering Institution A sent those instructions to Westpac via a direct Secure File Transfer Protocol (SFTP) connection in a Structured File; (d)Westpac processed those payment instructions to Australian beneficiary accounts; and (e)the transfers within the domestic Australian payment system were funded from an account held by Ordering Institution A with Westpac. Ordering Institution A funded that account by transfers from its bank account in a foreign country. That transfer was processed by means of a SWIFT message sent from Ordering Institution A’s foreign bank. 81At the time Westpac originally entered into the relevant arrangements with X Corporation on 16 November 2011, X Corporation was not a class of person that was an ordering institution within the meaning of section 8 or 9 of the AML/CTF Act. To the extent that the arrangements with X Corporation involved electronic funds transfer instructions, the first person in the funds transfer chain that was an ordering institution was always Westpac and Westpac accepted the instruction in Australia (such that the electronic funds transfers were not IFTIs within the meaning of item 4 of the table in section 46 of the AML/CTF Act because the money was made available to the payee by being credited to an account with an Australian bank). 82Following Ordering Institution A’s acquisition of X Corporation, from 1 October 2016 Ordering Institution A replaced X Corporation as the entity from which Westpac received instructions under the arrangement. The replacement of X Corporation with Ordering Institution A had a consequential impact on Westpac’s IFTI reporting obligations in respect of the arrangement. However, Westpac’s control environment at the time, including its end-to-end reconciliation processes, did not detect this change to its incoming IFTI reporting obligations having regard to Ordering Institution A’s acquisition of X Corporation. Ordering Institution A’s acquisition of X Corporation did not trigger a review of Westpac's anti-money laundering and counter-terrorism financing (AML/CTF) reporting obligations in relation to the arrangement. 83In September 2018, Westpac commenced a detailed analysis of international payment flows involving Westpac’s financial institution clients outside its ACM arrangements to determine whether reportable IFTIs were not, in fact, being reported. In November 2018, as part of that analysis, Westpac formed the view that it should commence reporting IFTIs in respect of its arrangement with Ordering Institution A. This change in view was reported to senior management, including the General Manager of Global Transaction Services, in November 2018. Westpac informed AUSTRAC of this change in approach on 21 November 2018. 84From October 2016 to 19 November 2018, Westpac was the recipient of 61,717 incoming IFTIs under the Ordering Institution A arrangements described above, totalling approximately $101,333,384. Those incoming IFTIs were: (a)electronic funds transfer instructions for the purposes of section 8(1) of the AML/CTF Act in that: (i)the customer of Ordering Institution A (the payer) instructed Ordering Institution A to transfer money controlled by the payer to a third person (the payee) on the basis that the transferred money would be made available to the payee by a

beneficiary institution (which was either an ADI, bank, building society or credit union for the purposes of section 8(1)(d) of the AML/CTF Act); and (ii)the transfer instructions referred to in subparagraph (i) above were passed on wholly or partly by electronic means; and (b)accepted at or through a permanent establishment of Ordering Institution A in a foreign country. 85The transferred money relating to each incoming IFTI referred to in paragraph 84 above was made available to the payee at or through a permanent establishment of the beneficiary institution in Australia. 86By reason of the matters referred to in paragraphs 46 and 78 to 85 above, Westpac was required to give AUSTRAC a report of each of the incoming IFTIs referred to in paragraph 84 above within 10 business days after the date each incoming IFTI was received. 87In the period from 27 May 2019 to 20 September 2019, Westpac gave AUSTRAC a report of each incoming IFTI referred to in paragraph 84 above. The 61,717 reports were provided later than 10 business days after the incoming IFTIs’ receipt by Westpac as required by section 45(2) of the AML/CTF Act. C.1.6Bank B Outgoing IFTIs 88To the extent that Westpac was the sender of an IFTI transmitted out of Australia as described in item 1 of the table in section 46 of the AML/CTF Act (outgoing IFTI), section 45(2) of the AML/CTF Act required Westpac, within 10 business days after the day on which the instruction was sent by it, to give the AUSTRAC CEO a report about the instruction. That report was required by section 45(3) of the AML/CTF Act to be in the approved form and contain such information relating to the matter as was specified in the AML/CTF Rules. 89During the Relevant Period, Westpac was the sender of 10,771 Bank B Outgoing IFTIs totalling $707,409,296, which was part of the Direct Model ACM arrangements that were in place with Bank B. Those outgoing IFTIs were: (a)electronic funds transfer instructions for the purposes of section 8(1) of the AML/CTF Act in that: (i)the customer (the payer) instructed Westpac (the ordering institution, and an ADI for the purposes of section 8(1)(c)(i) of the AML/CTF Act) to transfer money controlled by the payer to a third person (the payee) on the basis that the transferred money would be made available to the payee by Bank B (the beneficiary institution, and a bank for the purposes of section 8(1)(d)(ii) of the AML/CTF Act); and (ii)the transfer instructions referred to in subparagraph (i) were passed on wholly or partly by electronic means; and (b)accepted at or through a permanent establishment of Westpac in Australia. 90The transferred money relating to each outgoing IFTI identified at paragraph 89 above was made available to the payee at or through a permanent establishment of Bank B in a foreign country.

91By reason of the matters referred to in paragraphs 88 to 90 above, Westpac was required to give AUSTRAC a report of each outgoing IFTI referred to in paragraph 89 above within 10 business days after the date each outgoing IFTI was sent. 92On 4 October 2019, Westpac gave AUSTRAC reports of each outgoing IFTI referred to in paragraph 89 above. The 10,771 reports were not provided within 10 business days of Westpac sending the outgoing IFTIs, as required by section 45(2) of the AML/CTF Act. 93The reason that the outgoing IFTIs for Bank B were not reported to AUSTRAC in accordance with section 45(2) of the AML/CTF Act was that before November 2018, Westpac held the mistaken view that there was no relevant “instruction” to Bank B. This is because the arrangement involved Westpac reporting transfers to the Bank B Settlement Account to Bank B by sending a BAI2 Statement Format account statement to Bank B, details of which are set out in paragraph 38 above. Prior to November 2018, Westpac’s view was that the statements in BAI2 Statement Format were account statements, and did not constitute “instructions”. Westpac did not have appropriate processes in place to identify and correct this mistaken view. Further detail regarding the reasons that the outgoing IFTIs for Bank B were not reported to AUSTRAC is set out in section E.1.1 below. 94However, during the course of Project 106 (a Westpac project established in August 2018 to ascertain the scale of IFTI non-reporting in respect of the Direct Model ACM arrangements, address that non-reporting and ensure that IFTIs were reported for these arrangements moving forward), the Project 106 team reviewed the Bank B Outgoing IFTIs and formed the view that they should be reported as outgoing IFTIs, which commenced after Westpac reported the matter to AUSTRAC on 21 November 2018. C.1.7LitePay Outgoing IFTIs 95Between August 2016 and November 2019, Westpac offered its customers a product known as LitePay, which facilitated overseas transfers of up to $3,000 to the European Union, Great Britain, India and the Philippines (with arrangements for different jurisdictions commencing at different points from August 2016 onwards). 96To facilitate payments to the European Union, Great Britain, India and the Philippines, Westpac had arrangements in place with Banks B, C and Q through which those correspondent banks could receive international funds transfers of up to $3,000 from Westpac accounts via LitePay, following which they would initiate payment instructions to the beneficiary banks in the relevant overseas countries. 97The SWIFT network was used for LitePay international payment instructions to the European Union, Great Britain and India. LitePay payments to the Philippines were sent via an application programming interface (API) connection. The API allowed for direct connectivity from Westpac to Bank Q for the sending of payment instructions from Westpac and not via the SWIFT network. Bank Q processed instructions received via an API through the domestic Philippines payment system. 98The arrangements described in paragraphs 95 to 97 above involved the provision of designated services by Westpac to customers within the meaning of section 6(1) of the AML/CTF Act. 99Westpac advised AUSTRAC that between August 2016 and November 2019 it was the sender of approximately 215,320 LitePay Outgoing IFTIs under arrangements with Banks B, C and Q, totalling $202,625,872. The LitePay Outgoing IFTIs were:

(a)electronic funds transfer instructions for the purposes of section 8(1) of the AML/CTF Act in that: (i)the customer (the payer) instructed Westpac (the ordering institution, and an ADI for the purposes of section 8(1)(c)(i) of the AML/CTF Act) to transfer money controlled by the payer to a third person (the payee) on the basis that the transferred money would be made available to the payee by Bank B, C or Q or another financial institution (the beneficiary institutions, and banks for the purposes of section 8(1)(d)(ii) of the AML/CTF Act); and (ii)the transfer instructions referred to in subparagraph (i) were passed on wholly or partly by electronic means; and (b)accepted at or through a permanent establishment of Westpac in Australia. 100 The transferred money relating to each of the LitePay Outgoing IFTIs was made available to the payee at or through a permanent establishment of Bank B, C or Q or another financial institution in a foreign country. 101By reason of the matters referred to in paragraphs 95 to 100 above, Westpac was required to give AUSTRAC a report of each outgoing IFTI referred to in paragraph 99 above within 10 business days after the date each LitePay Outgoing IFTI was sent. 102Of the 215,320 LitePay Outgoing IFTIs, Westpac did not report 2,314 IFTIs within 10 business days of the sending the IFTI, as required by section 45(2) of the AML/CTF Act, due to a lack of appropriate end-to-end reconciliation, assurance and oversight processes. 103On 25 November 2019, Westpac gave AUSTRAC reports of each of these 2,314 LitePay Outgoing IFTIs. 104As set out in paragraphs 105 to 107, there were several reasons for the non-reporting of 2,314 LitePay Outgoing IFTIs in accordance with section 45(2) of the AML/CTF Act. 105In May 2017, a technical issue affected the database replication within the LitePay payment system (Global Payplus Services Platform (GPP-SP)). Database replication was a necessary step to ensure that the GPP-SP system passed instructions on to the Detica system. As a result of this technical issue, 1,030 LitePay Outgoing IFTIs were not passed from the GPP-SP system to the Detica system. This, in turn, meant that those LitePay Outgoing IFTIs were not reported to AUSTRAC. 106In November 2018, a technical issue following the implementation of a SWIFT Standards Release affected payment processing in the GPP-SP system. As a result of this issue, support teams had to manually intervene in the process to set the payment status of each LitePay Outgoing IFTI to 'complete'. That manual intervention prevented an automated process from completing for 828 affected IFTIs, which meant that those IFTIs were not passed from the GPP-SP system to the Detica system. This, in turn, meant that the 828 affected LitePay Outgoing IFTIs were not reported to AUSTRAC. 107Between February 2017 and June 2019, a further 456 LitePay Outgoing IFTIs were not-reported due to a number of separate and isolated technology-related factors. 108Westpac did not have appropriate end-to-end reconciliation, assurance and oversight processes in place to identify the IFTI reporting failures relating to the LitePay Outgoing IFTIs.

109The non-reporting of certain LitePay Outgoing IFTIs was first identified by Westpac in July 2019 when the monthly reconciliation process detected a small number of breaks in the reporting of LitePay IFTIs. Westpac initiated a complete lookback reconciliation process in relation to LitePay IFTI reporting and disclosed the non-reporting to AUSTRAC on 29 October 2019. The 2,314 LitePay Outgoing IFTIs referred to above were reported to AUSTRAC on 25 November 2019. C.1.8IFTIs without payer name 110From 13 October 2014 to 1 November 2018 Westpac was the recipient of: (a)75,069 IFTIs transmitted into Australia by Bank F within the meaning of item 2 of the table in section 46 of the Act, totalling $82,247,485; and (b)1,075 IFTIs transmitted into Australia by Bank A within the meaning of item 2 of the table in section 46 of the Act, totalling $484,014, in respect of which Westpac did not include the name of the payer in its reports to AUSTRAC, as described in the paragraphs immediately below. 111Section 45(2) of the AML/CTF Act required Westpac to give the AUSTRAC CEO a report of each of these instructions within 10 business days after the date the instruction was received. In purported compliance with this requirement, Westpac gave the AUSTRAC CEO an IFTI report within 10 business days after receiving each instruction. 112However, a report under section 45(2) of the AML/CTF Act must contain such information relating to the matter as is specified in the AML/CTF Rules: section 45(3)(b). Paragraph 16.3(1) of the AML/CTF Rules required each report given to the AUSTRAC CEO under section 45(2) of the AML/CTF Act about an instruction within the meaning of item 2 of the table in section 46 of the Act to contain the name of the payer. ‘Payer’ was relevantly defined in section 5 and 8(1)(a) of the AML/CTF Act. 113Contrary to section 45(3)(b) of the AML/CTF Act and paragraph 16.3(1) of the AML/CTF Rules, each of the reports relating to each instruction identified at paragraph 110 did not contain the name of the payer: (a)In relation to 73,777 of the Bank F instructions - in place of the name of the payer, each of the reports contained the words ‘payer name not supplied by ordering institution’ in the ‘OC Payer’ field; (b)In relation to 1,292 of the Bank F instructions - in place of the name of the payer, the ‘OC Payer’ field was left blank. (c)In relation to each of the 1,075 instructions from Bank A, in place of the name of the payer, each of the reports contained a series of numbers and/or letters in the ‘OC Payer’ field. 114By reason of the matters at paragraph 113, Westpac did not give the AUSTRAC CEO a report about each of the instructions identified at paragraph 110 in accordance with section 45(2) of the AML/CTF Act. Westpac accordingly contravened section 45(2) of the AML/CTF Act on 76,144 occasions. 115Westpac did not have appropriate end-to-end reconciliation, assurance and oversight processes in place to identify the absence of the payer name in these IFTIs.

C.2 Information about the origin of the transferred money – contraventions of Part 5 of the AML/CTF Act C.2.1The required transfer information – contraventions of section 64(7)(f) of the AML/CTF Act 116Among other things, section 64 of the AML/CTF Act imposes obligations regarding the information about the origin of funds that institutions in a funds transfer chain are required to include in instructions they send to the next institution in the funds transfer chain. 117The obligations that are imposed on: (a)each person (if any) interposed between the ordering institution and the beneficiary institution (the interposed institution) are set out in section 64(7) of the AML/CTF Act; and (b)ordering institutions are set out in section 64(6) of the AML/CTF Act. 118For the reasons set out in this part C.2.1 and C.2.2 below, respectively, Westpac breached each of these requirements in respect of the Bank B Outgoing IFTIs Arrangement. 119At all material times, under section 64(2) of the AML/CTF Act, the following persons (institutions) were taken to form a funds transfer chain in respect of a multiple-institution person-to-person electronic funds transfer instruction or a multiple-institution same-person electronic funds transfer instruction: (a)the ordering institution; (b)the interposed institution; and (c)the beneficiary institution. 120At all material times, under section 64(7)(f) of the AML/CTF Act, if: (a)an institution is in the funds transfer chain; (b)the institution is an interposed institution and the transfer instruction is passed on to the interposed institution at or through a permanent establishment in Australia; (c)the transfer instruction is accepted by the ordering institution at or through a permanent establishment of the ordering institution in Australia; and (d)some or all of the required transfer information was passed on to the institution by another institution in the funds transfer chain, then, before passing on the transfer instruction to another institution in the chain, the interposed institution was required to ensure that the instruction included so much of the required transfer information (as defined in section 70 of the AML/CTF Act) as was passed on to the interposed institution as mentioned in subparagraph (d) above. 121In the period from 1 January 2014 to 3 February 2019, under the Direct Model ACM arrangements that Westpac had in place with Bank B, Westpac was an interposed institution in relation to 8,140 IFTIs (contained within 1,280 BAI2 Statement Format account statements) transmitted outside of Australia within the meaning of item 1 of the table in section 46 of the AML/CTF Act, totalling $601,568,069. Each of those instructions: (a)was a multiple-institution person-to-person electronic funds transfer instruction or a multiple-institution same-person electronic funds transfer instruction in which Westpac page 20

was an interposed institution in the funds transfer chain that was passed on to Westpac at or through its permanent establishment in Australia; and (b)was accepted by the ordering institution at or through a permanent establishment of the ordering institution in Australia. 122When Westpac received each of the instructions referred to in paragraph 121 above as an interposed institution, some or all of the required transfer information was passed on to Westpac by another institution in the funds transfer chain. 123When Westpac sent each of the instructions referred to in paragraph 121 above to another institution in the funds transfer chain, being Bank B, Westpac did not include in the instruction so much of the required transfer information as it had been given as referred to in paragraph 120 above. The Bank B Outgoing IFTI Arrangements involved Westpac reporting transfers to the Bank B settlement Account to Bank B by sending an account statement in BAI2 Statement Format to Bank B. As noted at paragraph 38 above, BAI2 Statement Format is a standard format used for account statements. While Westpac included certain information in the BAI2 statements (including remitter name, lodgement reference, beneficiary account number, amount, date and a unique reference number assigned by Westpac), it did not include the payer account number, which is not a standard data field on bank statements, but is required transfer information (as defined in section 70 of the AML/CTF Act). 124By reason of the matters referred to in paragraphs 121 to 123 above, Westpac did not provide the requisite information in respect of 8,140 transactions, as required by section 64(7)(f) of the AML/CTF Act. 125The reason Westpac did not include in the instructions the payer account number as referred to in paragraph 123 above was that, prior to November 2018, Westpac’s mistaken view was that the statements in BAI2 Statement Format were account statements, and did not constitute “instructions”. On this basis, Westpac did not consider that the BAI2 statements were subject to the obligations in section 64(7)(f) of the AML/CTF Act. Westpac did not have appropriate processes in place to identify and correct this mistaken view. However, as noted at paragraph 94 above, during the course of Project 106, the Project 106 team reviewed Direct Model ACM arrangements that Westpac had in place with Bank B and formed the view in November 2018 that they did involve “instructions” for the purposes of section 64(7)(f) of the AML/CTF Act. On 22 November 2018, Westpac confirmed to AUSTRAC that it would commence reporting IFTIs for this arrangement. C.2.2The required transfer information – contraventions of section 64(6) of the AML/CTF Act 126At all material times, under section 64(6) of the AML/CTF Act, if (in respect of a multiple-institution person-to-person electronic funds transfer instruction or a multiple-institution same-person electronic funds transfer instruction): (a)the ordering institution was in the funds transfer chain; and (b)the transfer instruction was accepted by the ordering institution at or through a permanent establishment of the ordering institution in Australia, then, before the ordering institution passed on the transfer instruction to another person in the chain, the ordering institution was required to ensure that the instruction included the required transfer information (as defined in section 70 of the AML/CTF Act). page 21

127In the period 1 January 2014 to 3 February 2019, under the Direct Model ACM arrangements that Westpac had in place with Bank B, Westpac was the ordering institution in relation to 2,400 IFTIs (contained within 1073 BAI2 Statement Format account statements) transmitted out of Australia within the meaning of item 1 of the table in section 46 of the AML/CTF Act, totalling $92,891,622. Each of those instructions: (a)was part of a multiple-institution person-to-person electronic funds transfer instruction or a multiple-institution same-person electronic funds transfer instruction in which Westpac was the ordering institution in the funds transfer chain; and (b)was accepted by Westpac as the ordering institution at or through its permanent establishment in Australia. 128When Westpac (as ordering institution) accepted each of the instructions referred to in paragraph 127 above, Westpac obtained the complete payer information (as defined in section 71 of the AML/CTF Act). 129In respect of each instruction referred to in paragraph 127 above, before passing it on to another institution in the funds transfer chain, Westpac did not include the required transfer information in the instruction, as required by section 64(6) of the AML/CTF Act. As noted at paragraph 123 above, the Bank B Outgoing IFTIs Arrangements involved Westpac reporting transfers to the Bank B Settlement Account to Bank B by sending an account statement in BAI2 Statement Format to Bank B. While Westpac included certain information in the BAI2 Statement Format account statements (including remitter name, lodgement reference, beneficiary account number, amount, date and a unique reference number assigned by Westpac), it did not include the payer account number, which is not a standard data field on bank statements, but is required transfer information (as defined in section 70 of the AML/CTF Act). 130The reason why Westpac did not include in the instructions the payer account number as referred to in paragraph 128 above was the same reason referred to in paragraph 125 above. The cause of the failure to include that required transfer information in the BAI2 Statement Format account statements was the same cause referred to in paragraph 125 above. C.3 Making and retaining records – contraventions of section 115 of the AML/CTF Act 131The Direct Model ACM arrangements with Bank A (the Bank A arrangements) involved Bank A passing on to Westpac multiple-institution person-to-person electronic funds transfer instructions to which section 64 of the AML/CTF Act applied. Westpac retained all records that it was required to retain in respect of most of these transfer instructions received from Bank A under the Bank A Arrangements. However, during the period 15 March 2011 to 1 July 2016 Westpac failed to retain for the necessary period one required component in relation to 3,516,238 transfer instructions passed on to Westpac by Bank A (Relevant Transfer Instructions), in relation to which: (a)Bank A was the ordering institution in the funds transfer chain; (b)Westpac was the interposed institution in the funds transfer chain; (c)Westpac passed on the transfer instruction, at or through a permanent establishment in Australia, to another financial institution in the funds transfer chain; (d)the transferred money was made available at or through a permanent establishment of the beneficiary institution in Australia;

(e)Bank A passed on to Westpac some or all of the required transfer information (as defined in section 70 of the AML/CTF Act) (required transfer information) to Westpac; (f)the transfer instruction was accepted by Bank A at or through a permanent establishment in foreign country; and (g)the transfer instruction was passed on to Westpac by a permanent establishment of Bank A in a foreign country. 132The Relevant Transfer Instructions were in respect of 325 Structured Files received by Westpac on the following dates between 15 March 2011 to 1 July 2016: (a)15 March 2011 to 3 October 2012 (318 Structured Files and 3,367,453 transfer instructions); (b)1 April 2015 (1 Structured File and 16,921 transfer instructions); (c)1 July 2015 to 2 July 2015 (2 Structured Files and 38,862 transfer instructions); (d)1 October 2015 and 2 October 2015 (2 Structured Files and 30,237 transfer instructions); (e)1 April 2016 (1 Structured File and 27,220 transfer instructions); and (f)1 July 2016 (1 Structured File and 35,545 transfer instructions). 133By reason of the matters referred to in paragraphs 131 to 132 above, Westpac was required, by section 115(2) of the AML/CTF Act and in respect of each of the Relevant Transfer Instructions, to: (a)make a record of so much of the required transfer information as was passed on to Westpac as mentioned in subparagraph 131(e) above; and (b)retain that record, or a copy of that record, for 7 years after the transfer instruction was passed on to Westpac. 134In respect of each of the Relevant Transfer Instructions, while Westpac made a record of so much of the required transfer information (as defined in section 70 of the AML/CTF Act) as was passed on to Westpac as mentioned in subparagraph 131(e) above, it did not retain a record of all of this information for 7 years after the transfer instructions were received by Westpac. The one record that Westpac did not retain for 7 years was a record of the unique reference number that was passed onto it by Bank A. That unique reference number was provided to Bank A's customer by Bank A as a reference number for the transaction. It was important for Westpac to retain a record of Bank A's unique reference number for each transaction because it enabled the origin of funds to be traced efficiently and quickly, if required by AUSTRAC or law enforcement. 135Westpac retained a record of all other information passed onto it by Bank A in relation to the Relevant Transfer Instructions, including: (a)Beneficiary BSB (b)Beneficiary Account Number (c)Amount (d)Beneficiary Name (e)Lodgement Reference (f)Name of Remitter.

136By reason of the matters referred to in paragraphs 131 to 134 above, Westpac contravened section 115(2) on 3,516,238 occasions. 137The reasons Westpac did not retain the records referred to in paragraph 134 above are as follows: (a)as noted at paragraph 58 above, Qvalent and WIBS are systems through which Westpac receives payment instruction files from correspondent banks. Structured Files received from Bank A were received through Qvalent and passed to WIBS for processing; (b)at all relevant times, both Qvalent and WIBS included backup systems that retained a record of the original transfer instructions received from Bank A; (c)in relation to the 3,367,453 transfer instructions referred to in subparagraph 132(a) above: (i)records of the original instructions were not retained for a period of 7 years in the Qvalent backup system as a result of a change in the backup system around the end of 2012, which led to the relevant transfer instructions from Bank A that were stored in the old backup system being lost; and (ii)records of the original instructions were not retained for a period of 7 years in the WIBS backup system as a result of the manual tape backup process that was in place for that system prior to November 2014. This backup tape process relied on manual action by the infrastructure operations team and involved the physical removal and replacement of magnetic tapes when full to capacity. As part of this, tapes were recycled, such that old data was often overridden by newer data when the magnetic tapes were manually swapped out; (d)in relation to the 148,785 transfer instructions referred to in subparagraphs 132(b) to 132(f) above; (i)records of the original instructions were not retained for a period of 7 years in the Qvalent backup system as a result of a configuration gap in the quarterly schedule which did not correctly account for months with 31 days. The configuration gap meant that the Qvalent system backed up the previous 90 days only, which led to a 1 to 2 day gap in certain of the quarterly backups between April 2015 and July 2016; and (ii)records of the original instructions were not retained for a period of 7 years in the WIBS backup system as a result of the electronic backup system that was introduced in November 2014 being configured for a period between November 2014 and early 2017 to store monthly backups for 12 months from the date of backup; and (e)it did not have appropriate IT change management, assurance and oversight processes in place with respect to record keeping. C.4 Correspondent Banking Due Diligence – contraventions of section 98 of the AML/CTF Act C.4.1Westpac’s Correspondent Banking Due Diligence Obligations

138At all times throughout the Relevant Period, Westpac (as a bank and therefore a financial institution within the meaning of section 5 of the AML/CTF Act, which had entered into correspondent banking relationships that involved vostro accounts) was required by: (a)section 98(1) of the AML/CTF Act to carry out regular assessments of the risks Westpac may reasonably face that the correspondent banking relationship might (whether inadvertently or otherwise) involve or facilitate ML/TF (Preliminary Risk Assessment); and (b)section 98(2) of the AML/CTF Act to: (i)carry out regular assessments of such matters as specified in the AML/CTF Rules; and (ii)prepare a written record of each assessment as soon as practicable after the completion of the assessment, if carrying out those assessments was warranted by a Preliminary Risk Assessment undertaken by Westpac in accordance with section 98(1) of the AML/CTF Act (Due Diligence Assessments), (together Westpac’s Correspondent Banking Due Diligence Obligations). 139The term 'vostro account' is as defined in paragraph 11(e). C.4.2Systems and controls designed to comply with Westpac’s Correspondent Banking Due Diligence Obligations 140As stated in paragraph 10, while essential to the international financial system, correspondent banking relationships present higher ML/TF risks. Identifying, assessing and mitigating those risks is inherently challenging because the risks posed concern customers of the correspondent bank rather than Westpac's customers. 141Throughout the Relevant Period, Westpac had in place processes, systems and controls intended to manage these risks and comply with Westpac’s Correspondent Banking Due Diligence Obligations. Those processes, systems and controls are described in paragraphs 142 to 170 below. C.4.2.1 Three Lines of Defence 142Westpac had a 'Three Lines of Defence' risk management approach designed with the intention of managing the ML/TF risk presented by its correspondent banking relationships and designated services as set out immediately below. First line of defence – risk identification, risk management and self-assessment 143The Westpac Institutional Bank division (WIB) relevantly included the Corporate & Institutional Banking (CIB) team and the Global Transaction Services (GTS) team. 144CIB and GTS were responsible for identifying, evaluating and managing the ML/TF risks Westpac may reasonably face with respect to its correspondent banking relationships. In particular: (a)CIB was responsible for the establishment of the correspondent banking relationships and was the relationship manager. From March 2018, GTS and CIB were jointly responsible for approving the establishment of all correspondent banking relationships; and

(b)GTS was responsible for the ongoing risks of product management processes and procedures to the extent they impacted upon correspondent banking. 145Throughout the Relevant Period, the Risk and Fraud Operations (RFO) team, a group function, conducted the Preliminary Risk Assessments and Due Diligence Assessments. The workbooks that documented both assessments are referred to as the DD Workbooks. A specialised team within RFO (RFO CBDD Team) was responsible for: (c)conducting Preliminary Risk Assessments and Due Diligence Assessments for correspondent banks, and completing the associated DD Workbooks; (d)monitoring adverse media events in relation to correspondent banks, and escalating these to CIB and GTS in accordance with a process prescribed by the Correspondent Banking Due Diligence AML/CTF Procedures Manual (CB Procedures Manual) as referred to in paragraph 165 below; and (e)once an automated transaction monitoring detection scenario was put in place for vostro accounts, undertaking an initial assessment of alerts generated from correspondent banking transaction monitoring scenarios. 146The DD Workbook completed by the RFO CBDD team was reviewed and approved by the relevant relationship manager from CIB (Relationship Manager) and the relevant network manager from GTS (Network Manager). Second line of defence – establishment of risk management framework and policies and risk management oversight 147The second line of defence involved: (a)from January 2018, oversight by the WIB Financial Crime team of the completion of the DD Workbooks by the RFO CBDD team; and (b)the Group Financial Crime team setting the standards required across the Westpac Group for Preliminary Risk Assessments and Due Diligence Assessments in the Westpac Group Correspondent Banking Standard (CB Standard) (explained in paragraph 155 below). Third line of defence – Group Audit 148The third line of defence involved the Group Audit team (previously known as Group Assurance until October 2015), which was the internal audit function at Westpac, independent of management. 149Group Audit conducted a number of reviews of Westpac’s AML/CTF correspondent banking due diligence processes, systems and controls during the Relevant Period. C.4.2.2 Policies and procedures relevant to Westpac’s Correspondent Banking Due Diligence Obligations 150The processes, systems and controls that Westpac had in place that were intended to achieve compliance with Westpac's Correspondent Banking Due Diligence Obligations were set out in the following policies and procedures: (a)the AML/CTF Policy; (b)the AML/CTF program;

(c)the CB Standard; and (d)the CB Procedures Manual. 151These processes, systems and controls also included , transaction monitoring over MT103 files sent and received, and sanctions screening processes. From September 2017, it also included Vostro account monitoring, noting that the monitoring first introduced in February 2016 was not appropriate or effective. The AML/CTF Policy 152The AML/CTF Policy set out the principles Westpac was required to follow to comply with its AML/CTF obligations, including in relation to correspondent banking relationships. The AML/CTF Program 153During the Relevant Period, the AML/CTF program provided for Westpac to maintain a CB Standard, which was the responsibility of the Group Money Laundering Reporting Officer (Group MLRO). 154The AML/CTF Program also set out key requirements in relation to correspondent banking due diligence, including that: (a)Westpac could not enter into a correspondent banking relationship without first assessing the risk that the relationship might involve the facilitation of ML/TF activities; and (b)the risk level assigned to the relationship would determine the due diligence required in respect of the correspondent bank, and the level of ongoing due diligence, with such due diligence being conducted by the RFO CBDD Team. CB Standard 155The CB Standard set out the level of due diligence required for correspondent banking relationships entered into by Westpac. 156During the Relevant Period, the CB Standard applied the following relevant principles: (a)Westpac must not directly or indirectly enter into a correspondent banking relationship with a shell bank; (b)before Westpac enters into a correspondent banking relationship with another financial institution, Westpac must carry out a due diligence assessment; (c)Westpac must not enter into a correspondent banking relationship unless senior officer approval had been granted; (d)once Westpac had entered into a correspondent banking relationship, Westpac must carry out regular due diligence assessments. The frequency of ongoing due diligence assessments was required to be based upon a risk assessment of the relationship; (e)Westpac must monitor correspondent banking relationships; and (f)Westpac must document its responsibilities and the responsibilities of the other party to the correspondent banking relationship, and retain records of due diligence assessments. 157The CB Standard required, among other things, that all high-risk correspondent banking relationships be reviewed annually, and all low or medium risk relationships be reviewed at least every four years unless a material incident occurred, which would trigger an immediate review.

158Although the AML/CTF Act only required Due Diligence Assessments to be carried out if warranted by the risk assessed in the Preliminary Risk Assessment, at all times the CB Standard required Westpac to conduct Due Diligence Assessments on each of its correspondent banks, regardless of their risk level. 159Although not required by the AML/CTF Act, the CB Standard defined a ‘correspondent banking relationship’ more broadly than was prescribed by section 98 of the AML/CTF Act. In particular: (a)under section 5 of the AML/CTF Act, a relationship could only be a correspondent banking relationship if, among other things, the reporting entity provided banking services to another financial institution that involved a vostro account; (b)Westpac also voluntarily categorised the provision of a Relationship Management Application (RMA) Key to another financial institution as a correspondent banking relationship and subjected the relationship to Preliminary Risk Assessments and Due Diligence Assessments. RMA Keys are the digital certificates issued to financial institutions to enable a trusted, provable and confidential end-to-end communication over the SWIFT Network. Some financial institutions may have RMA Keys with Westpac, but no vostro account; and (c)this approach meant that Westpac conducted Preliminary Risk Assessments and Due Diligence Assessments over a broader body of entities than was required under section 98 of the AML/CTF Act. CB Procedures Manual 160The CB Procedures Manual prescribed the frequency with which Preliminary Risk Assessments and Due Diligence Assessments should be conducted, and set out instructions for the RFO CBDD Team to complete the DD Workbook. 161During the Relevant Period, the CB Procedures Manual provided that the risk rating of the correspondent bank was calculated using the Correspondent Bank Risk Assessment Model (CBRA Model) to determine the "Composite Risk Rating". The Composite Risk Rating assessed the following risk factors: (a) correspondent bank organisation type; (b) engagement channel; (c) product; (d) jurisdiction; and (e) increased risk/adverse findings (Risk Factors). 162The CBRA Model: (a) allowed users to choose answers for each Risk Factor from a drop-down menu, with the answer generating an automatic score; and (b) weighted particular Risk Factors, depending on their importance to the Composite Risk Rating. 163The CBRA Model then generated a Composite Risk Rating based on the weightings and the score for each Risk Factor. 164The Composite Risk Rating informed the level of subsequent due diligence conducted on the correspondent bank and when, absent a material trigger event, the correspondent bank would next be re-assessed. (a)for correspondent banks with a vostro account and a Composite Risk Rating of 'High', Westpac conducted an annual Due Diligence Assessment. The annual Due Diligence Assessment included reviewing the correspondent bank's answers to: (i)a standardised questionnaire designed by the Wolfsberg Group, an association of eleven global banks (Wolfsberg Questionnaire), that was required to have been

completed within a period of three years prior to the Due Diligence Assessment; and (ii)a questionnaire designed by Westpac (Westpac Questionnaire) that must have been completed within a period of three years prior to the Due Diligence Assessment. (b)for correspondent banks with a vostro account and a Composite Risk Rating of 'Low' or 'Medium', Westpac: (i)conducted a Due Diligence Assessment every four years. This Due Diligence Assessment required a review of a Westpac Questionnaire and a Wolfsberg Questionnaire, which in each case must have been completed within a period of three years prior to the Due Diligence Assessment; and (ii)conducted a preliminary report into the correspondent bank half way through the four year period between each Due Diligence Assessment 165The CB Procedures Manual required 'trigger events' (namely mergers / takeovers / acquisitions, financial difficulties, changes of ownership, fines or regulatory action in relation to AML/CTF compliance, change in the country risk profile, suspicion of dealing with a shell bank, and a change in sanctioned country status) relating to the correspondent banks to be monitored through Factiva, a business information and research tool used by Westpac. 166Until January 2018, the CB Procedures Manual provided that where a trigger event was identified, a report was to be made to the Relationship Manager and the Network Manager for assessment and a decision as to the appropriate course of action. From January 2018 onwards, these trigger events were intended to lead to the Relationship Manager contacting the correspondent bank to complete an enhanced customer due diligence form, if the Relationship Manager, Network Manager, WIB Financial Crime and the Jurisdictional Financial Crime Officer agreed that such enhanced customer due diligence should be conducted. 167In January 2018, the CB Procedures Manual was updated to include two additional questions for the Relationship Manager and Network Manager that asked whether, since the last Due Diligence Assessment, there had been any material change in the products and services used by the correspondent bank, or any noticeable change to the volume or value of transactions. This change was made to address an AUSTRAC recommendation (following a Compliance Assessment by AUSTRAC in 2016) that Westpac more clearly articulate in its procedures how it assessed material changes in the nature of the correspondent bank's ongoing business relationship, in accordance with paragraph 3.1.4(4) of the AML/CTF Rules. However, the additional questions in the CB Procedures Manual were not supported by appropriate processes to identify material changes in products or services or in the volume and value of transactions. Sanctions screening and controls 168During the Relevant Period Westpac had a Sanctions Policy in place, which stated that: (a)Westpac screens for designated entities (and, from 2017, sanctioned activities) in accordance with applicable sanctions regimes both in Australia and overseas; (b)Westpac does not maintain bank accounts for individuals or entities that are designated entities in any jurisdiction in which Westpac operates. From 2016 it further provided that if an existing customer of Westpac becomes designated in any such jurisdiction and

relevant laws require Westpac to freeze the assets of that customer then Westpac will do so, and that if Westpac is not required to freeze the assets of such a customer then Westpac will terminate its relationship with the relevant customer; and (c) Westpac exercises due care in designing and refining business rules and processes to ensure that no individual transaction involves a knowing breach of applicable sanctions obligations. 169During the Relevant Period, transactions conducted through vostro accounts on Westpac's vostro system were subject to screening for sanctions. Sanctions screening did not apply in relation to all the Direct ACM arrangements until mid-2018, shortly before these arrangements were terminated. Sanctions screening was not applied to instructions received through the Referral ACM arrangements that were settled through Direct Entry or BPay. In some cases, sanctions screening was applied to instructions received through the Referral ACM arrangements that were settled through RTGS. 170To the extent sanctions risks were identified during the Due Diligence Assessment, the DD Workbook was also required to be sent to WIB Financial Crime to review. From January 2018, the CB Procedures Manual: (a)provided for a 'Sanctions Escalation Model' (which was stated in the CB Procedures Manual to be the process from 1 October 2016). The Sanctions Escalation Model required escalation to WIB Financial Crime for approval in certain circumstances, including where the Preliminary Risk Assessment or Due Diligence Assessment on any correspondent bank identified any 'sanctions concern', with an escalation line to the Group Sanctions team if the WIB Financial Crime team required Group Sanctions' input; and (b)included in the Westpac Questionnaire an additional 'Sanctions Questionnaire' which required the correspondent bank to disclose risks relating to sanctions issues, answer detailed questions about its sanctions screening and controls, and complete an attestation for relationships it had with entities in Iran. C.4.3Contraventions of subsections 98(1) and 98(2) of the AML/CTF Act: Preliminary Risk Assessments and Due Diligence Assessments 171At all times throughout the Relevant Period, Westpac had a correspondent banking relationship within the meaning of the AML/CTF Act that involved a vostro account with each of the correspondent banks. 172At all times throughout the Relevant Period, the risks assessed under the Preliminary Risk Assessments required Westpac to conduct Due Diligence Assessments on each of the correspondent banks. 173During the Relevant Period, Westpac carried out 48 Preliminary Risk Assessments and 48 Due Diligence Assessments with respect to the correspondent banks. A table setting out the Preliminary and Due Diligence Risk Assessments conducted in respect of these entities is at Annexure B to this SAFA. 174During the Relevant Period, despite:

(a)Westpac having in place the processes, systems and controls described at paragraphs 142 to 170 above intended to achieve compliance with its obligation to conduct Preliminary Risk Assessments and Due Diligence Assessments; and (b)Westpac conducting regular Preliminary Risk Assessments and Due Diligence Assessments in respect of its correspondent banking relationships with the correspondent banks, the Preliminary Risk Assessments did not fully comply with section 98(1) of the AML/CTF Act and the Due Diligence Assessments did not fully comply with section 98(2) of the AML/CTF Act in the following regards: (a)in some cases, Westpac did not identify and assess all of the banking services and transactions it facilitated through its correspondent banking relationships; (b)in some cases, Westpac did not assess the impact of identified higher ML/TF risks upon banking services provided by Westpac to the correspondent banks; and (c)in some cases, Westpac did not appropriately assess the jurisdictional risks of the correspondent banking relationships; and the Due Diligence Assessments did not fully comply with section 98(2) of the AML/CTF Act in the following further regards: (a)in some cases, the assessment of the correspondent bank's products and customer base was not sufficient; (b)in some cases, the assessment of the adequacy of the correspondent banks' controls and internal compliance practices relating to AML/CTF was not sufficient; and (c)the assessment of the nature of the correspondent banks' ongoing business relationships with Westpac and material changes to those relationships, including the types of transactions carried out through the relationships, was not adequate. 175Further detail in respect of each of those matters is set out below. C.4.3.1 Failure to identify and assess banking services and transactions facilitated through correspondent banking relationships 176Westpac’s Preliminary Risk Assessments and Due Diligence Assessments in respect of Banks B, C, D, E and F did not consider the risks posed by corporate operating accounts used to facilitate the Direct ACM arrangements (the Direct ACM Corporate Operating Accounts). The Direct ACM Corporate Operating Accounts were vostro accounts because, as used under the Direct ACM Arrangements, they were accounts held by a correspondent bank with Westpac in Australian dollars in order to facilitate settlement of international transactions on behalf of the correspondent bank's customers. Nor did these assessments consider the risks posed by the vostro accounts used to facilitate the OSBSB arrangements with Bank B and Bank J (the Bank B Settlement Account and the Bank J Settlement Account, and together the OSBSB Settlement Accounts), noting that the OSBSB Settlement Account for Bank B was also the Direct ACM Corporate Operating Account for Bank B. 177The reason that Westpac did not consider the risks posed by the Direct Model ACM arrangements as part of its Preliminary Risk Assessment and Due Diligence Assessment was because throughout the Relevant Period Westpac determined whether an account was a “vostro” account by reference to whether the account was maintained on Westpac’s vostro account page 31

system, rather than by reference to the characteristics of the account. The CB Standard did not require Westpac to consider the characteristics of an account in determining whether it was a vostro account. 178While ML/TF risks associated with some of the Direct Model ACM arrangements were assessed through a product risk assessment (PRA), these assessments were inadequate and the PRA did not feed into the assessment of the ML/TF risk posed by the correspondent banking relationship during the Preliminary Risk Assessment and Due Diligence Assessment. C.4.3.2 Failure to assess the impact of identified higher ML/TF risks upon banking services provided to the correspondent banks 179As a result of a limitation in the CBRA Model scoring methodology (which applied to all correspondent banks), identified higher ML/TF risks were not always appropriately assessed and did not always have an impact upon the Composite Risk Rating. For example, the following identified ML/TF risks did not impact the Composite Risk Rating: Nested arrangements 180In the case of Banks B, C, D, E, I, K, M, O and P, the DD Workbooks did not evidence an assessment of the impact or likelihood of the risk arising from correspondent banks disclosing that they provided services through nested arrangements. Nested arrangements refer to the use of a bank's correspondent banking relationship by other underlying financial institutions through their relationship with the correspondent bank's direct customer. The underlying financial institutions conduct transactions without being direct customers of the correspondent bank. It is also known as downstream correspondent banking. 181These arrangements pose higher ML/TF risks because the correspondent bank does not have visibility over the underlying financial institutions transacting through the arrangement. The impact and likelihood of this risk should have been assessed. 182Since September 2017 Westpac has had automated transaction monitoring in place to identify nested arrangements (see paragraph 151 above). Sanctions risk 183In the case of Banks L, M and P, the DD Workbooks did not evidence an assessment of the impact of the risk arising from correspondent banks disclosing that they had relationships with correspondent banks operating in jurisdictions which had trade or financial sanctions imposed by one or more other jurisdictions. 184In the case of Bank B, the DD Workbooks did not evidence an assessment of the impact or likelihood of the risk arising from Westpac opening a vostro account for a subsidiary of Bank B in Zimbabwe, being a jurisdiction that was subject to limited trade and financial sanctions by Australia, the United States, and the European Union. 185While in each case: (a)Westpac was not prohibited under applicable sanctions laws from having relationships with these correspondent banks and; (b)these risks were mitigated by: (i)all transactions through vostro accounts being subject to sanctions screening; and

(ii)the requirement under the CB Procedures Manual that sanctions issues identified in the Due Diligence Assessment be escalated to the WIB Financial Crime team for review (as noted above at paragraph 170), each of these relationships posed a higher ML/TF risk to Westpac because of the risk that the correspondent bank could facilitate payments in breach of applicable sanctions laws. The impact of this risk should have been assessed. AML/CTF enforcement action 186During the Relevant Period, in some instances, when regulatory action concerning AML/CTF compliance was identified in relation to a correspondent bank, this led to an increase in the ML/TF risk rating for the correspondent bank. 187However, for adverse regulatory action identified in relation to Bank B, the risk rating was reduced from 'High' to 'Medium', despite new adverse action being identified during the 2016 to 2017 period. C.4.3.3 Failure to appropriately assess jurisdictional risks 188While Westpac assigned a jurisdictional risk rating in its Preliminary Risk Assessments for each correspondent banking relationship, in the case of Bank G Subsidiary, and Banks B, C, D, F, I, K, M, N and O, this was based solely on the domicile of the parent entity of the correspondent bank being assessed, and not the domicile of the correspondent bank itself. The Bank A Parent and Banks E, H, J, L and P were assessed because they were the parent entities of the relevant banking groups. 189The domicile of a correspondent bank is a potentially important ML/TF risk factor as there is a significant variation in the robustness of jurisdictions' AML/CTF compliance regimes. 190This failure occurred because the CB Procedures Manual required the RFO CBDD Team to assess the jurisdictional risk rating of the parent entity of the correspondent bank being assessed, rather than the correspondent bank. 191The consequence was that the CBRA Model gave a 40% weighting to the domicile of each parent bank. Whilst Westpac obtained information in the assessments about branches and subsidiaries , this information did not feed into in the composite risk rating assessment of the parent bank. For example, the fact that some correspondent banks had a number of branches and subsidiaries in jurisdictions subject to some form of trade or financial sanctions was not reflected in the composite risk rating assessment for the parent banks. 192Westpac also did not appropriately apply its own jurisdictional risk assessment with regard to Bank G Subsidiary and Bank H. With each bank, the DD Workbook identified the jurisdiction as having ‘Extreme Jurisdictional Risk’. However, each Preliminary Risk Assessment and Due Diligence Assessment over the Relevant Period assessed the jurisdictional risk as ‘Medium Jurisdictional Risk’, save for the 2018 Due Diligence Assessment for Bank H, where the jurisdictional risk was rated as 'High'. C.4.3.4 Assessments of products and customer base 193In the course of conducting its Due Diligence Assessment in respect of the correspondent banks, Westpac identified and documented the full suite of products offered by each correspondent bank, and their types of customers. Westpac did this by asking questions of the correspondent banks in the Westpac Questionnaire.

194During the Relevant Period: (a)the assessment of some correspondent banks' suite of products and types of customers was not sufficiently regular, having regard to the fact that they were risk rated as 'High' or 'Medium' risk, and the importance of understanding the correspondent banks' products and customer base in identifying, assessing and mitigating the risk posed by the correspondent banking relationship. For example: (i)for Bank A Parent and Bank O, which were rated as ‘High’ risk, Westpac did not re-assess the nature of the correspondent bank's products and customer base within a three year period; and (ii)for Bank F, which was rated as 'High' risk, Westpac did not assess the nature of the correspondent bank's products and customer base until 2017; (iii)for Banks C and L, which were rated as 'High risk', and for Bank P, which was rated as 'Medium' risk, Westpac did not re-assess the nature of the correspondent banks' products and customer base after 2014; and (iv)for Bank G Subsidiary, which was rated as 'Medium' risk, Westpac did not assess the nature of the correspondent bank's products and customer base during the Relevant Period. (b)the assessments of a number of the correspondent banks did not evidence sufficient consideration of ML/TF risks identified in relation to the correspondent banks' customer and product bases and were not always based on adequate information, in each case in breach of the requirements in paragraphs 3.1.4(1) and 3.1.2(1) of the AML/CTF Rules, and as a consequence, section 98(2) of the AML/CTF Act. C.4.3.5 Assessment of controls and internal AML/CTF compliance practices on inherent ML/TF risks 195During the Relevant Period: (a)for Bank A Parent and Bank O, which were rated as ‘High’ risk, Westpac did not assess fully the adequacy of the correspondent bank's controls and internal compliance practices relating to AML/CTF within three years; and (b)for Banks C and L, which were rated as 'High risk', Westpac did not assess fully the adequacy of the correspondent banks' controls and internal AML/CTF compliance practices after 2014; in each case in breach of the requirements of the applicable CB Procedures Manual, described at paragraph 164(a). 196The assessment of the adequacy of the controls and internal compliance practices relating to these correspondent banks was not sufficiently regular, having regard to their 'High' risk rating and the importance of these controls and practices in mitigating the risk posed by the correspondent banking relationships, in breach of the requirements in paragraphs 3.1.4(1) and 3.1.2(6) of the AML/CTF Rules, and, as a consequence, section 98(2) of the AML/CTF Act. C.4.3.6 Assessment of ongoing business relationship, including transactions, and any material changes to the business relationship 197During the Relevant Period, Westpac did not adequately:

(a)assess the nature of each correspondent bank’s ongoing business relationship with Westpac, including the types of transactions carried out as part of that correspondent banking relationship; and (b)identify and assess any material change in the nature of the correspondent bank’s ongoing business relationship with Westpac, including in respect of the types of transactions carried out as part of that relationship, in breach of paragraphs 3.1.4(3) and (4) of the AML/CTF Rules, and as a consequence, section 98(2) of the AML/CTF Act, for the following reasons. Questions in the DD Workbooks about ongoing business relationship and transactions 198Until November 2017, the DD Workbooks for the correspondent banks did not include questions designed to assess: (a)the nature of the correspondent banks' ongoing business relationship with Westpac; or (b)the transactions entered into as part of that relationship. 199As a consequence, until November 2017, there is no evidence in the DD Workbook of Westpac having regularly assessed the full nature of its ongoing business relationship with the correspondent banks. 200In November 2017, the DD Workbook was amended to require that the: (a)Relationship Manager confirm if there had been any material change in the products and services used by the customer since the last Due Diligence Assessment; and (b)Network Manager confirm if there had been any noticeable change to the volume or value of transactions since the last Due Diligence Assessment. 201In January 2018 the CB Procedures Manual was updated to reflect this change. However, limitations in Westpac's vostro account transaction monitoring meant that Westpac was not in a position to fully understand any material changes to the types, volume and value of transactions carried out as part of the correspondent banking relationship. Monitoring of payment flows through Direct ACM arrangements 202During the Relevant Period, Westpac did not have in place the following to monitor payment flows through the Direct ACM arrangements with Banks A to F: (a)trend analysis of the volume of activity flowing through the ACM Corporate Operating Accounts; (b)the identification of nesting by upstream financial institutions; and (c)transaction monitoring at account level to identify unusual transactions or patterns of transactions. 203Further, Westpac did not implement transaction monitoring of originator and beneficiary information within payment messages for the Direct ACM arrangements. Until the following dates, it also did not implement screening for sanctions: (a)in relation to Bank C, November 2016; (b)in relation to Bank D, October 2017; (c)in relation to Bank E, July 2018; and

(d)in relation to Bank B, August 2018. 204This limited its ability to monitor the ACM arrangements and changes in the transaction profile being processed. Automated monitoring of vostro accounts 205The potential need to transaction monitor vostro accounts was first identified at a correspondent banking monthly stakeholders meeting (CBMS Meeting) at Westpac in July 2012, which was attended by mid-level management, including a senior member of the WIB Financial Crime team. Despite discussing the need for transaction monitoring of vostro accounts at meetings between July 2012 and May 2015, as described below, no appropriate transaction monitoring over vostro accounts was introduced until September 2017. 206From February 2016, an automated detection monitoring scenario for vostro accounts was implemented, named “WS84 – High Value Transactions for VOSTRO Customers”. This detection monitoring scenario was designed to identify payments from correspondent banks via a vostro account which deviated from the correspondent bank's average transaction value, taken from the previous 180 day average for the correspondent bank, as well as the volume of transactions across the previous 90 day period from the alert date. This detection scenario did not appropriately monitor for all known ML/TF risks of vostro accounts and was decommissioned in July 2017 because it was not triggering a sufficient number of meaningful alerts and replaced in September 2017 with a new scenario for vostro accounts. 207The new scenario, named “WS89 – Correspondent Banking Transaction Monitoring (WIB)”, was implemented which was designed to identify transactions with the following indicators: (a)country risk (payments originating or passing through a country that is subject to trade or financial sanctions, has significant levels of corruption or lacks appropriate AML/CTF laws and regulations); (b)transactions that were unusual in the context of the relationship; (c)nested arrangements; and (d)transactions that passed through multiple jurisdictions without a valid arrangement. 208The WS89 detection scenario, whilst appropriate, was not adequate to fully understand and monitor for the ML/TF risks of payment flows. For example, it did not monitor for: (a)high level usage by a particular party; (b)high percentage usage by a particular customer of an overseas institution; (c)transactions originating in high risk countries; or (d)transactions whose ultimate beneficiary is in a high risk country. 209During the Relevant Period, Westpac did not apply the WS89 detection scenario to the Direct ACM Corporate Operating Accounts or to the OSBSB Settlement Accounts. These accounts were however subject to Westpac's other automated transaction monitoring rules that applied to its transactional bank accounts. 210The WIB Transaction Monitoring Program Alerts for vostro accounts dated September 2016, and from 7 March 2017, the RFO Detection Scenario Alert Management Vostro Transaction Monitoring Procedure, set out specific guidance for when alerts received in respect of this

transaction monitoring of vostro accounts should be escalated, and when a suspicion should be formed for the purpose of section 41 of the AML/CTF Act: (a)the WIB Transaction Monitoring Program Alerts for Vostro accounts required the WIB Financial Crime team to review the RFO's assessment and escalate any adverse information identified to GTS for further assessment; and (b)the RFO Detection Procedure required the RFO team to escalate transactions to the CBDD Team if it identified any red flag indicators associated with the transaction or the alerted customer as a result of its review. The CBDD Team, with advice from Group Financial Crime, would determine whether a suspicious matter report should be lodged under section 41 of the AML/CTF Act. The RFO Detection Procedure also provided for a process for alerts to be escalated to the Correspondent Banking Due Diligence Committee (CBDDC) to consider whether a Due Diligence Assessment should be reconducted. 211However, the alerts subject to the monitoring procedures described above were not meaningful until the WS89 detection scenario was introduced in September 2017. Nor were the alerts always actioned promptly. 212Insofar as the monitoring of the transaction relationship should have alerted Westpac to relevant material changes, so that it could then determine whether to proceed with an assessment: (a)until 18 November 2019, Westpac's trigger event reporting mechanism was not designed to consider these changes (further addressed at paragraph 216); and (b)the transaction monitoring conducted by Westpac of vostro accounts lacked sufficient depth for the reasons identified at paragraphs 206 to 208 above). 213While Westpac had transaction monitoring in place in relation to its international payments business, including in relation to MT103 instructions, its transaction monitoring in relation to vostro accounts limited its ability to assess its ongoing relationships with the correspondent banks and any material changes to those relationships. Trigger warning process 214The CB Procedures Manual provided for a trigger warning system based on Factiva. Under the CB Standard, a trigger event could lead to a new Due Diligence Assessment of a correspondent bank. 215The trigger event reporting process should have alerted Westpac to material changes in its relationship with a correspondent bank. However, it was flawed because: (a)the CB Procedures Manual did not provide for any trigger events designed to identify material changes in the nature of the ongoing business relationship, including the types of transactions carried on as part of that relationship; (b)analysis of these reports was not appropriately documented, because: (i)during the Relevant Period, the RFO team monitored trigger events, and sent the trigger reports to the Relationship Manager and Network Manager for their comments and assessment. Under the CB Procedures Manual, the Relationship Manager, Network Manager and Group MLRO were obliged to consider answers to several questions documented at section 2 of the trigger report which assessed Westpac's exposure to the trigger event; but page 37

(ii)in respect of some of the trigger reports generated for Bank A Parent, Banks B, C, D, E, I, J, K, L, M, N, and P, and in breach of the requirements of the CB Procedures Manual, these questions were not always completed in respect of trigger events; and (c)during the Relevant Period, the requirement to conduct enhanced customer due diligence under the CB Procedures Manual was at the discretion of the Relationship Manager, the Network Manager and WIB Financial Crime. Although some correspondent banks were placed on a ‘watching brief’ after multiple trigger events, they were not subject to any additional enhanced customer due diligence; and (d)in September 2018 Westpac identified, as part of a Controls Assurance Review into Correspondent Banking Due Diligence, that the Factiva trigger event monitoring process required enhancement to ensure the completeness of correspondent bank lists and defined monitoring scope set up in Factiva, sufficient quality assurance control and proper record retention. There were weaknesses in the escalation of trigger reports, with the result that trigger events were treated inconsistently. No independent quality assurance controls were performed to ensure all Factiva alerts were actioned properly. 216Until 18 November 2019, Westpac's Due Diligence Assessment process also did not include any processes for monitoring for additional risks arising from the sale of new products to the correspondent banks (being a material change in the nature of the correspondent bank’s ongoing business relationship with Westpac). Until 18 November 2019, when the CBDD Procedures replaced the CB Procedures Manual, the sale of a new product to a correspondent bank was not a trigger event. This meant that any new risks arising from the sale of a new product over the Relevant Period to the correspondent banks was not assessed in a DD Workbook. 217Deficiencies in Westpac's trigger warning processes limited its ability to monitor material changes in its relationships with the correspondent banks. C.4.4 Quality assurance 218During the Relevant Period, whilst Westpac's approach to quality assurance matured, as did industry standards, first line testing and second line oversight was not consistent. 219An external consultant reviewed a sample of 60 DD Workbooks in 2012, Line 2 (Controls Assurance) conducted testing over samples of DD Workbooks in 2014 and Line 3 (Group Audit) conducted reviews during the Relevant Period which included correspondent banking due diligence within its scope. 220Steps were also taken to improve the quality assurance over the correspondent banking due diligence process, including: (a)In January 2018: (i)WIB Financial Crime were required for the first time to sign off on the DD Workbooks; (ii)CBDDC approval was required for all high risk banks; and (b)In February 2018 a four eye review process was introduced to be conducted on each due diligence workbook by the relevant RFO manager. 221Since 18 November 2019, the CBDD Procedures requires that:

(a)a separate quality checking team within RFO reviews the DD Workbooks within one month of completion to confirm all relevant information has been collected and appropriately recorded; and (b)the Financial Crime team within GTS performs a sample review of completed DD Workbooks to confirm, at a minimum, that: (i)all required identification and verification information is collected for the entity, including any parent entity and/or owner(s) / controller(s); (ii)any indicators of potential prohibited customer types or restricted customer activities were identified and considered; (iii)the Composite Risk Rating is correctly determined; and (iv)all necessary approvals are obtained. 222While there were quality assurance controls in place prior to this point (as described above), had Westpac adopted these additional controls earlier, a number of the issues described above would have been identified earlier. Further, whilst Group Audit conducted some review of correspondent banking due diligence processes during the Relevant Period, its reviews did not fully cover these processes. C.4.5Conclusion 223By reason of the matters referred to in paragraphs 171 to 217 above, Westpac did not conduct an adequate Preliminary Risk Assessment in accordance with section 98(1) of the AML/CTF Act on 48 occasions and did not conduct an adequate Due Diligence Assessment in accordance with section 98(2) of the AML/CTF Act on 48 occasions. C.5 AML/CTF Program C.5.1 Requirements under section 81 of the AML/CTF Act 224Throughout the Relevant Period, section 81 of the AML/CTF Act stipulated that a reporting entity must not commence to provide a designated service to a customer if the reporting entity has not adopted, and does not maintain, an AML/CTF program within the meaning of section 83 of the AML/CTF Act that applies to the reporting entity (being either a standard, joint or special AML/CTF program). 225The AML/CTF Program is the principal document for setting out the risk-based systems and controls that are required to ensure compliance with the AML/CTF Act and the AML/CTF Rules. It is the means through which a reporting entity is required to take responsibility for managing the money laundering and terrorism financing risks of its own business. 226Throughout the Relevant Period, section 85(1) of the AML/CTF Act defined a joint AML/CTF program as a written program that applies to each reporting entity that from time to time belongs to a particular designated business group, and is divided into the following parts: Part A (general); and Part B (customer identification). 227Section 85(2) of the AML/CTF Act defined Part A of a joint AML/CTF program as a part which: (a)has the primary purpose of identifying, mitigating and managing the risk that each reporting entity may reasonably face that the provision of designated services at or through a permanent establishment of the reporting entity in Australia might (whether

inadvertently or otherwise) involve or facilitate money laundering or terrorism financing (ML/TF risk); and (b)complies with such requirements as are specified in the AML/CTF Rules. 228Throughout the Relevant Period, the AML/CTF Rules required that Part A of a joint AML/CTF program must, among other things: (a)in determining and putting in place appropriate risk-based systems and controls, have regard to the following factors in relation to each reporting entity in the designated business group (paragraph 9.1.3): (i)the nature, size and complexity of business; and (ii)the type of ML/TF risk that might be reasonably faced; (b)take account of the risk posed by the following factors in relation to each reporting entity in the designated business group (paragraph 9.1.4): (i)the customer types, including any politically exposed persons; (ii)the types of designated services provided; (iii)the methods by which designated services are delivered; and (iv)the foreign jurisdictions dealt with; (c)be designed to enable the designated business group to (paragraph 9.1.5): (i)understand the nature and purpose of the business relationship with its customer types, including, as appropriate, the collection of information relevant to that understanding; (ii)understand the control structure of non-individual customers; (iii)identify significant changes in ML/TF risk for the purposes of the group’s Part A and Part B programs, including: (A)risks identified by consideration of the factors in paragraph 9.1.4; and (B)risks arising from changes in the nature of the business relationship, control structure or beneficial ownership of its customers; and (iv)such changes in ML/TF risk to be recognised for the purposes of the requirements of the group’s Part A and Part B programs; and (v)identify, mitigate and manage any ML/TF risk arising from: (A)all new designated services prior to introducing them to the market; (B)all new methods of designated service delivery prior to adopting them; (C)all new or developing technologies used for the provision of a designated service prior to adopting them; and (D)changes arising in the nature of the business relationship, control structure or beneficial ownership of its customers; (d)include a transaction monitoring program (paragraph 15.4) that must: (i)include appropriate risk-based systems and controls to monitor the transactions of customers (paragraph 15.5); and page 40

(ii)have the purpose of identifying, having regard to ML/TF risk, any transaction that appears to be suspicious within the terms of section 41 of the AML/CTF Act (paragraph 15.6); and (e)include appropriate systems and controls of each of the reporting entities designed to ensure compliance with the reporting obligations of the reporting entity (paragraph 9.9.1(2)). C.5.2 Westpac's Part A Program 229At all times in the Relevant Period, Westpac had a joint AML/CTF program which included a document titled: (a)since 7 March 2018, 'Anti-Money Laundering & Counter-Terrorism Financing Program Part A'; (b)between 20 July 2017 and 6 March 2018, 'Anti-Money Laundering & Counter-Terrorism Financing Program'; and (c)between at least May 2013 and 19 July 2017, 'AML/CTF Program', (each the Program Document). 230This document was updated over time and relevantly comprised the following versions: (a)version 3.3 effective from 22 May 2013 to 10 February 2015; (b)version 4.0 effective from 11 February 2015 to 26 January 2016; (c)version 4.1 effective from 27 January 2016 to 19 July 2017; (d)version 4.2 effective from 20 July 2017 to 6 March 2018; (e)version 1.0 effective on 7 March 2018; (f)version 1.1 effective from 8 March 2018 to 1 May 2018; (g)version 1.2 effective from 2 May 2018 to 13 August 2018; (h)version 1.3 effective from 14 August 2018 to 5 March 2019; (i)version 2.0 effective on and from 6 March 2019. 231At all times in the Relevant Period, the Program Document included the following: (a)a section headed 'ML/TF Risk Assessment', which: (i)required Westpac to undertake ML/TF risk assessments to identify, mitigate and manage the ML/TF risk exposure of its business; and (b)a section headed 'Transaction monitoring program' or 'Transaction Monitoring', which: (ii)stated that the purpose of the transaction monitoring program is to identify suspicious matters and placed responsibility on the Group MLRO to oversee the ongoing operation and effectiveness of the transaction monitoring program; (iii)provided for customer transactions to be monitored using an automated transaction monitoring system and for alerts generated from that system to be investigated by RFO (previously Risk Operations); (iv)required the submission of suspicious matter reports within the applicable time frames to AUSTRAC; and page 41

(c)details in relation to regulatory reporting, which: (v)included a reference to the Westpac Group AML/CTF Regulatory Reporting Standard (see further paragraphs 243 to 247 below); and (vi)included a sub-section headed 'International Funds Transfer Instructions' that provided, among other things, that Westpac has an obligation to report all IFTIs to AUSTRAC within 10 business days after the day on which it sent or received the instruction. 232Underpinning the Program Document, at all relevant times, Westpac had in place Standards, which were maintained by Westpac and updated from time to time. These documents provided details about the requirements, processes, systems and controls necessary to give effect to the Program Document (Standard Documents). 233Westpac's Part A Program comprised the Program Document and the Standard Documents. 234At all relevant times, Westpac's Part A Program set out the minimum requirements to be adopted in relation to Westpac's anti-money laundering and counter-terrorism financing risk and compliance. Risk Assessment Standard 235During the Relevant Period, Westpac had an ML/TF risk assessment standard that included systems and controls intended to ensure Westpac complied with its obligations under the AML/CTF Rules (Risk Assessment Standard). The Risk Assessment Standard was updated over time and relevantly comprised the following versions: (a)version 2.0 effective from 27 September 2013 to 10 December 2014, entitled 'Westpac Group AML/CTF ML/TF Risk Assessment and Methodology Standard'; (b)version 3.0 effective from 11 December 2014 to 28 March 2017, entitled 'Westpac Group AML/CTF ML/TF Risk Assessment and Methodology Standard'; (c)version 3.1 effective from 29 March 2017 to 1 May 2018, entitled 'Westpac Enterprise AML/CTF ML/TF Risk Assessment and Methodology Standard'; (d)version 3.2 effective from 2 May 2018 to 29 May 2018, entitled 'Westpac Group AML/CTF ML/TF Risk Assessment Standard'; (e)version 3.3 effective from 30 May 2018 to 30 April 2019, entitled 'Westpac Group AML/CTF ML/TF Risk Assessment Standard'; and (f)version 3.4 effective on and from 1 May 2019, entitled 'Westpac Group AML/CTF ML/TF Risk Assessment Standard'. 236The Risk Assessment Standard set out the minimum requirements that must be adopted by Westpac in relation to ML/TF risk assessments. 237During the Relevant Period, the Risk Assessment Standard included the following relevant principles: (a)Westpac must undertake ML/TF risk assessments to identify its ML/TF risk exposure; (b)Westpac utilises a multi-tiered approach to its risk assessment methodology to determine the levels of ML/TF risk applicable at an enterprise, Division and/or Business Unit as well

as customer level, including a customer risk assessment, a jurisdiction risk assessment and a product risk assessment process; (c)Westpac must conduct an ML/TF risk assessment of all products offered by Westpac; and (d)Westpac must regularly review the ML/TF risk assessment to ensure it remains relevant, current, adequate and reflective of ML/TF risk trends. 238The Risk Assessment Standard was supported by a number of further documents including ML/TF risk assessment procedures and guidance documents intended to ensure that Westpac complied with its ML/TF risk assessment obligations under the AML/CTF Rules. Transaction Monitoring Program Standard 239At all times during the Relevant Period, Westpac had a transaction monitoring program standard that included systems and controls intended to ensure Westpac complied with its obligations under the AML/CTF Rules (TMP Standard). This document was updated over time and relevantly comprised the following versions: (a)version 2.0 effective from 8 August 2012 to 28 November 2013, entitled 'Westpac Group AML/CTF Transaction Monitoring Program'; (b)version 2.1 effective from 29 November 2013 to 25 February 2016, entitled 'Westpac Group AML/CTF Transaction Monitoring Program'; (c)version 2.1 effective from 26 February 2016 to 31 July 2018, entitled 'Westpac Group AML/CTF Transaction Monitoring Program (Australia)'; and (d)version 1.0 effective on and from 1 August 2018, entitled 'Westpac Group AML/CTF Transaction Monitoring and Suspicious Matter Reporting (SMR) Standard (Australia)'. 240The TMP Standard set out the minimum requirements that must be adopted by Westpac in relation to its transaction monitoring program. 241During the Relevant Period, the TMP Standard included the following relevant principles: (a)Westpac must monitor customer transactions through the use of rule-based detection scenarios that seek to capture behaviour recognised in ML/TF typologies; (b)The transaction monitoring program is owned by the Group MLRO, and the detection scenario logic is managed and maintained by Enterprise Financial Crime (previously named Group AML/CTF and Sanctions), together with Financial Crime Management Analytics (previously Group AML/CTF and Sanctions Analytics); (c)Transaction monitoring detection scenarios are required to undergo ongoing review and refinement; and (d)NetReveal (formerly Detica) is used as the case management system by RFO analysts in clearing and investigating scenario alerts. The alert clearance process can include a review of the customer's transactional history with particular focus on the transaction which triggered the alert, assessment of red flag indicators and other external and internal searches, among other things. 242The TMP Standard was supported by a number of further documents including various transaction monitoring procedures and operational documents intended to ensure that Westpac complied with its transaction monitoring obligations under the AML/CTF Rules. page 43

Regulatory Reporting Standard 243At all times in the Relevant Period, Westpac had a regulatory reporting standard that included systems and controls intended to ensure Westpac complied with its reporting obligations under section 45 of the AML/CTF Act (Regulatory Reporting Standard). This document was updated over time and relevantly comprised the following versions: (a)version 1.1 effective from 17 May 2013 to 8 September 2015, entitled 'Westpac Group AML/CTF Regulatory Reporting Standard'; (b)version 1.2 effective from 9 September 2015 to 30 April 2019, entitled 'Westpac Group AML/CTF Regulatory Reporting Standard (Australia)'; and (c)version 1.0 effective on and from 1 May 2019, entitled 'Westpac Group Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Transaction Reporting Standard'. 244The Regulatory Reporting Standard sets out the minimum requirements that must be adopted by Westpac in relation to Australian AML/CTF regulatory reporting, including reporting of IFTIs. 245During the Relevant Period, the Regulatory Reporting Standard included the following relevant principles: (a)all reports are uploaded electronically to AUSTRAC Online in the approved XML format as specified by AUSTRAC; (b)Westpac must report IFTIs to AUSTRAC within 10 business days, and those reports must include all reportable details as specified in the AML/CTF Rules; (c)on and from 20 November 2013 to 30 April 2019, Westpac submits test file assessments to AUSTRAC. AUSTRAC provides a written response; (d)from 1 May 2019, Westpac considers whether it is necessary to submit test file assessments to AUSTRAC when AUSTRAC updates the reporting rules or XML schemes, or Westpac changes its system rules used to generate and populate IFTI reports; (e)on and from 20 November 2013 to 30 April 2019, the Enterprise Financial Crime team actively manages and addresses test file issues and observations in conjunction with the Financial Crime Systems team (previously Detica Helpdesk team) and RFO; (f)from 1 May 2019, the Enterprise Financial Crime team identifies changes to the reporting requirements and considers the impact on Westpac's processes and systems, in conjunction with Detica Business Support; (g)Detica provides validation checks and error messages at the front end (Frontline), back end (RFO) and XML generation stages to ensure quality of data; (h)Westpac's regulatory reports are subject to a level of quality checking under the Quality Assurance (QA) framework within RFO. The QA procedure is aligned to a checklist and template, which are subject to ongoing review and updates to incorporate AUSTRAC feedback and other QA observations; (i)the responsibilities for key areas, including division of responsibility as between the Group Financial Crime function, RFO, Divisions (including front line, supported by Divisional Financial Crime teams), and system support teams; and

(j)guidance on when an IFTI should be reported, and what should be reported to AUSTRAC, including guidance on SWIFT and non-SWIFT payment instructions. 246On and from 1 May 2019, the Regulatory Reporting Standard included a requirement that the Divisions must ensure and be satisfied that there were processes and procedures in place (at a Group and/or Divisional level) to ensure that all transactions facilitated by their Division which meet the definition of an IFTI were reported to AUSTRAC within the specified timeframes. This included a requirement that there were controls in place to periodically reconcile the number of IFTIs received and sent against the number of IFTIs submitted to AUSTRAC. 247The Regulatory Reporting Standard was supported by a number of further policies, procedures and processes intended to ensure that Westpac complied with its reporting obligations under section 45 of the AML/CTF Act. Oversight of the Part A Program 248The oversight of Westpac's Part A Program was through a governance framework for managing ML/TF risks (the Financial Crime Risk Management Framework). This included: (a)oversight by the Westpac Group Financial Crime Committee (FINCO), later renamed the Group Operational Risk and Financial Crime Committee (OFCO); the Group Executive Risk Committee (RISKCO) and the Board Risk and Compliance Committee (BRCC). For example, from late 2014, the BRCC, RISKCO and OFCO were provided with quarterly financial crime reports which contained the key risk, operational and compliance metrics relating to the performance of the Part A AML/CTF program. (b)management of the Part A Program by reference to Westpac’s ‘three lines of defence’ risk management model in relation to ML/TF risks, where: (i)the first line comprised the business and operational functions within each Division and Business Unit, which retained primary accountability for complying with AML/CTF obligations and managing ML/TF risk; (ii)the second line comprised: •Division and Business Unit risk and compliance teams (at times during the Relevant Period responsible for, among other things, providing advice to Divisions and Business Units and monitoring compliance with financial crime risk management obligations), •Enterprise Financial Crime (also named Group Financial Crime in the Relevant Period) (responsible for, among other things, developing and maintaining Group level AML/CTF policies, standards, procedures and guidance); and •a team responsible for testing the Group’s compliance with financial crime obligations; (iii)the third line comprised the Group Assurance (later renamed Group Audit) function, which was an independent assurance function that evaluated and opined on the adequacy and effectiveness of both the first and second line risk management approaches and tracked remediation progress of issues identified by the function, with the aim of providing the Board and senior management with comfort as to the Group’s end-to-end risk identification, management and controls.

(c)Westpac setting the level of ML/TF risks it was willing to accept in the normal course of business (risk appetite) which included determining that it had no appetite for intentional breaches of any of its legal obligations, including under the AML/CTF Act. The BRCC had oversight of performance against risk appetite, including with respect to ML/TF risks. C.5.3 Section 81 – Failure to identify, mitigate and manage ML/TF risks - ML/TF risk assessments and risk-based controls 249Risk assessments are the foundation of the obligation to identify, mitigate and manage the ML/TF risks relating to designated services. Risk assessments must be reviewed and updated regularly as ML/TF risks emerge, evolve and change. 250An assessment of the ML/TF risks of designated services requires a reporting entity to take account of the risks posed by customer types, the product or designated service itself, the channel or method by which the designated service is delivered and the foreign jurisdictions dealt with. 251The risk-based systems and controls in a Part A Program must be aligned to current ML/TF risks, as identified in risk assessments. This includes risk-based systems and controls to monitor the transactions of customers, to carry out enhanced customer due diligence and to identify suspicious transactions for the purposes of section 41 of the AML/CTF Act. In determining and putting in place these appropriate risk-based systems and controls, the Part A Program must also have regard to the nature, size and complexity of the reporting entity’s business. 252AML/CTF systems and controls need to be reviewed, tested and reassessed on a regular basis to ensure they are mitigating and managing ML/TF risks as intended. The non-compliance of Westpac’s Part A Program with the AML/CTF Act and AML/CTF Rules 253Between 20 November 2013 and May 2018, Westpac's Part A Program did not fully comply with the requirements of paragraphs 9.1.3 to 9.1.5 of the AML/CTF Rules in that: (a)prior to May 2018, Westpac's Part A Program was not appropriately designed to enable the Group to identify, mitigate and manage the ML/TF risks posed by the methods by which designated services were delivered (Channel Risk). While the Risk Assessment Standard required Westpac to assess inherent Channel Risk when conducting product risk assessments, prior to May 2018, the Risk Assessment Standard did not require, or include procedures for, undertaking Channel Risk assessments separate to the product risk assessment process; (b)Westpac's Part A Program did not include an appropriate level of guidance to enable the Group to appropriately identify all potentially relevant ML/TF risks arising from the provision of new designated services prior to introducing those designated services to the market, including identifying those designated services involving higher ML/TF risks with respect to Westpac's international payments business; (c)Westpac's Part A Program required ML/TF risk assessments to be undertaken for all new products or material variations to products. However, it did not require, or include a process for, product risk assessments to be reviewed or updated to identify new or emerging ML/TF risks. 254Whilst Westpac's risk assessment procedures were uplifted when the Part A Program was amended in May 2018, it took some further time to remediate the risk-based systems and

controls in the Part A program, including transaction monitoring. Deficiencies in risk assessment prior to May 2018 meant that aspects of the Part A Program did not include appropriate risk-based systems and controls to mitigate and manage these risks, including with respect to transaction monitoring, until 20 November 2019. Consequently, from 20 November 2013 to 20 November 2019, Westpac's Part A Program did not fully comply with the requirements of paragraphs 9.1.3 to 9.1.5. of the AML/CTF Rules. The circumstances surrounding the non-compliance of the Part A Program 255The deficiencies in respect of the design of the risk assessment sections of Westpac's Part A Program (as set out in paragraph 253) continued for a number of years. In addition, Westpac accepts that a consistent approach to the assessment of ML/TF risks and controls was not always taken across the Westpac Group and in some areas there was an insufficient end-to-end view of ML/TF risks and controls. Westpac also accepts that from September 2014, it was aware of a number of heightened external risks in the AML/CTF environment. 256In August 2017, in the course of a review undertaken to assess the effectiveness of its AML/CTF control environment across the Group, Westpac identified the need to enhance its risk assessment framework in relation to the assessment of ML/TF risks associated with products, channels and customers. Westpac also identified a significant number of existing and emerging ML/TF risks in WIB and the need to improve its controls in order to manage and mitigate those risks more effectively. In October 2017, the Board and senior management were briefed on these matters and the work that had commenced to uplift the Part A Program and controls in order to address these matters. As fully described in Section E7 below, this work is ongoing. 257In December 2017, Westpac commenced the roll-out of a revised approach across the Group to assessing the ML/TF risks associated with its products and channels. From May 2018, these changes were reflected in updates to the Risk Assessment Standard. In addition, from May 2018, the risk-based systems and controls designed to mitigate ML/TF risks were required to be documented and recorded on a central register maintained by the Group MLRO. As a result of several initiatives, including carrying out the revised product and channel risk assessments in December 2017, Westpac identified a number of AML/CTF controls across the Group in early 2018 that were not appropriately risk-based or embedded across the Group, including transaction monitoring. Appropriate risk-based transaction monitoring is central to Westpac’s understanding of its own ML/TF risks, including emerging risks. 258The Part A Program must be subject to regular independent review, in accordance with paragraph 9.6 of the AML/CTF Rules. The purpose of the independent review should be to assess: (c)the effectiveness of the Part A program having regard to the ML/TF risk of each reporting entity in the designated business group; (d)whether the Part A program complies with the AML/CTF Rules; (e)whether the Part A program has been effectively implemented; and (f)whether each reporting entity in the designated business group has complied with its Part A program. 259At all times, the AML/CTF Rules required the result of the review, including any report prepared, to be provided to senior management. From 12 January 2018, the AML/CTF Rules required that

the result of the review, including any report prepared, to be provided to senior management and the Board. 260Westpac's Group Audit function regularly reviewed aspects of the Group financial crime control environment and provided their findings, together with actions for relevant issue owners, to the senior management team. These findings were then addressed by Westpac. In 2018, a Group Audit report identified that Westpac's Part A Program had not been the subject of an independent review in accordance with the AML/CTF Rules for several years. This was reported to the Board and senior management. Had Westpac conducted an independent review of its Part A Program that fully met the requirements of Part 9.6 of the AML/CTF Rules in the several years prior to 2018, the deficiencies in Westpac's Part A Program at paragraph 253 above may have been identified, reported to senior management and rectified earlier. The ACM and OSBSB arrangements 261The failure to fully comply with paragraphs 9.1.3 to 9.1.5 of the AML/CTF Rules described above at paragraph 253 contributed to the following deficiencies in the risk assessments and controls introduced in relation to the ACM and OSBSB arrangements. ML/TF risks associated with ACM and OSBSB 262The ACM arrangements involved higher ML/TF risks. In particular, the ACM arrangements: (a)facilitated high volume international payments of any value; and (b)involved the cross-border movements of funds, which could have included the movement of funds to and from high risk jurisdictions. 263The ACM arrangements with Bank A involved the following additional ML/TF risks: (a)the arrangements provided Westpac with limited information about the payer or payee; and (b)the arrangements involved a large number of transactions where the payer was a payment processor (Payment Processer A), in circumstances where Westpac did not have information about Payment Processer A's customer. 264The ACM1 arrangement with Bank C had an additional ML/TF risk in that incoming international payments were facilitated through two vostro accounts in Bank C’s name, even though each account was dedicated to the exclusive use by one of two large multinationals and their related companies. 265The OSBSB arrangements also involved ML/TF risks. In particular: (a)through these arrangements, funds could be transferred by third parties both internationally through RTGS and OTT; and (b)additionally, third parties could deposit funds directly into the OSBSB settlement account via the branch network; and (c)the OSBSB arrangements included the facility for the correspondent bank customer to deposit cash through Intelligent Deposit Machines (IDM). Failure to carry out appropriate risk assessments and mitigate and manage those risks 266Although Westpac did conduct risk assessments in relation to the ACM and OSBSB arrangements during the Relevant Period, the assessments it conducted did not appropriately

assess the ML/TF risks reasonably faced in relation to the provision of designated services through each of the ACM and OSBSB arrangements. 267Further, having failed to adequately identify and assess these risks, while Westpac did have in place systems and controls to mitigate and manage the ML/TF risks of providing designated services through the ACM and OSBSB arrangements, these were not appropriately risk-based. 268In relation to the ACM arrangements, these are described in paragraph 277 below. 269In respect of the OSBSB arrangements, while Westpac did apply: (a)the same transaction monitoring rules that applied to transactional bank accounts; (b)Westpac's threshold transaction reporting process for deposits at or above $10,000; (c)a requirement that the identity of third parties be verified for deposits at or above $10,000; and (d)a restriction on third parties making deposits via ATMs (but not IDMs), it did not: (e)place deposit limits on cash deposits into OSBSB accounts with Banks B and J, including cash deposits through IDMs; or (f)mandate that the identity of third parties depositing cash or cheques at a branch with a value below $10,000 was verified. C.5.4 Section 81 – transaction monitoring program 270Westpac is required to include a transaction monitoring program in its Part A Program. The transaction monitoring program is a central component of Part A and: (a)must include appropriate risk-based systems and controls to monitor the transactions of customers; (b)must have the purpose of identifying, having regard to ML/TF risk, any transaction that appears to be suspicious for the purposes of section 41 of the AML/CTF Act; and (c)should have regard to complex, unusual large transactions and unusual patterns of transactions, which have no apparent economic or visible lawful purpose, (section 85(2)(c) of the AML/CTF Act and paragraphs 15.4 to 15.7 of the AML/CTF Rules). 271Between 20 November 2013 and 20 November 2019 (unless stated otherwise below), Westpac's transaction monitoring program did not fully comply with the requirements of paragraph 15.5 of the AML/CTF Rules in that deficiencies in Westpac's Part A Program relating to the identification and assessment of the ML/TF risks it faced in relation to products and channels (set out at paragraph 253 above) meant that, as a result, Westpac's transaction monitoring program did not include risk-based systems and controls to appropriately monitor transactions across all designated services provided by the Group, including in the following respects; (a)not all designated services were appropriately monitored, having regard to the ML/TF risks they posed; (b)there were inadequate processes to ensure that new or emerging ML/TF risks would be identified and subject to appropriate transaction monitoring;

(c)there were inadequate processes to escalate and consider guidance on ML/TF risks and typologies from AUSTRAC and law enforcement agencies to ensure that detection scenarios were aligned to current ML/TF risks; and (d)prior to 2014, alerts from automated transaction monitoring detection scenarios were only generated and processed on a monthly basis. The circumstances surrounding the non-compliance of the Part A Program 272In mid-2015, Group Audit prepared an audit report that included an issue raised by WIB Financial Crime regarding deficiencies in the Group’s transaction monitoring program with regard to the monitoring of certain transactions, including international transactions. The Group Audit report included a management action plan, which required a detailed analysis of the current state of the transaction monitoring program to determine the extent of gaps. In August 2015, Enterprise Financial Crime circulated a memorandum outlining the current scope of Westpac's transaction monitoring program. Over the course of 2016 and 2017, Westpac took actions to address transaction monitoring issues in other jurisdictions. In August 2017, gaps in the transaction monitoring program were again identified. 273In April 2018, an external review advised Westpac of weaknesses in detection scenarios across 120 products that it reviewed. The review concluded that 45 of these products required automated monitoring where none had been applied and the remaining 75 required additional monitoring scenarios. In 2018, management action plans were developed to address the gaps. 274Had Westpac conducted an independent review in accordance with the AML/CTF Rules in the several years prior to 2018 (see paragraph 260 above), these deficiencies in Westpac's transaction monitoring program may have been identified, reported to senior management and rectified earlier. 275In early 2018, the Board and senior management were advised that improvements to the transaction monitoring program had been identified and that the uplift of the transaction monitoring program was a priority area. In August 2018, Westpac disclosed to AUSTRAC that it had identified products where it considered that automated transaction monitoring had not been applied in circumstances where it should have been, the range of scenarios that had been deployed under the transaction monitoring program should be enhanced and manual processes should be established to better manage ML/TF risks. Westpac's international payments business 276Westpac had a range of automated transaction monitoring scenarios in place in relation to international payments, but the failure to fully comply with paragraph 15.5 of the AML/CTF Rules described at paragraph 271 above led to Westpac's failure to appropriately monitor the ML/TF risks of aspects of its international payments business in the following regards. 277In relation to the ACM arrangements: (a)while Westpac had in place some transaction monitoring in relation to the ACM arrangements, this was limited to the dispersal of funds through the direct entry channel where the funds were deposited into a Westpac customer account; (b)Westpac did not obtain sufficient information about each international funds transfer instruction received under the ACM arrangements with Banks A to F so as to enable it to appropriately monitor these banks' transactions on a risk basis. None of the instructions

received under the ACM arrangements contained details about the purpose of payment and some instructions had limited information about one or more of the following criteria: the payer, currency and jurisdiction of origin. (c)a significant number of payments processed through the ACM arrangements with Bank A related to the transfer of funds by Payment Processor A, which potentially carried higher ML/TF risks. Transactions through these arrangements were not subject to appropriate risk-based monitoring and were not identified as being of a different profile to the usual payments processed via the ACM arrangements with Bank A; and (d)from November 2016 Westpac started to apply sanction screening to the Direct ACM arrangements with Bank C (when those arrangements commenced) and it took until September 2018 for the other ACM arrangements to be subjected to sanction screening. 278In relation to the OSBSB arrangements: (a)monitoring of OSBSB transactions was not appropriately risk-based; (b)Westpac did not have appropriate controls in place to know the identity of the customers of Bank B and Bank J that had been allocated an OSBSB sub-account, or the origin of funds transferred to, or destination of funds transferred from, the Bank B Settlement Account and Bank J Settlement Account; and (c)cash deposits into OSBSB Settlement Accounts were not appropriately monitored. 279In relation to Vostro accounts, it was not until September 2017, that appropriate automated monitoring was introduced. Whilst appropriate, this automated monitoring was not adequate to fully understand and monitor for the ML/TF risks of payment flows. Nor did it apply to all vostro accounts (as a matter of substance). 280In relation to transaction monitoring for the child exploitation material (CEM) risk: (a)from 2013, AUSTRAC and, in 2016, the Commonwealth Attorney-General's Department, published information about the child exploitation risks associated with frequent low value payments to the Philippines and other jurisdictions. In December 2016 and January 2017, AUSTRAC provided reporting entities, including Westpac, with methodology briefs detailing the key indicators for the purchase of live-streaming child exploitation material, involving international funds transfers to the Philippines and South East Asia (collectively, the Guidance); (b)in May 2016, Westpac assessed the heightened child exploitation risks associated with low value payments to the Philippines through the LitePay product and identified the need for detection scenarios to be included in the transaction monitoring program for LitePay and other international payment channels that could be used to process low value payments. From the launch of the LitePay product in August 2016, two detection scenarios were implemented that were intended, among other things, to identify transactions that might be indicative of child exploitation risk. However, these scenarios did not adequately reflect the Guidance and did not apply to other payment channels; (c)in June 2018, an updated automated detection scenario was implemented to monitor the LitePay channel for the known child exploitation typologies involving the Philippines; and (d)throughout the Relevant Period until October 2019, Westpac did not implement an appropriate detection monitoring scenario to monitor for the known child exploitation

typologies involving frequent low value payments to the Philippines and South East Asia via non-LitePay channels. C.5.5 Section 81 – systems and controls for IFTI reporting 281Westpac was required under paragraph 9.9.1(2) of the AML/CTF Rules to include, in its Part A Program, systems and controls designed to ensure compliance with the obligation to report IFTIs under section 45 of the AML/CTF Act. 282Notwithstanding the systems, controls and processes included in the Regulatory Reporting Standard as set out at paragraph 245 above, between 20 November 2013 and 20 November 2019, Westpac’s Part A Program: (a)did not include processes for ensuring that Westpac was reporting to AUSTRAC all IFTIs that it was required to report under section 45 of the AML/CTF Act, including appropriate end-to-end reconciliation, assurance and adequate oversight processes to detect ongoing non-compliance with IFTI reporting obligations; (b)did not include appropriate processes to identify all source systems that create payment instructions that required reporting under section 45 of the AML/CTF Act, including with respect to non-SWIFT instructions; and (c)did not include appropriate processes to identify non-SWIFT IFTIs that did not include complete payer information. C.5.6 Conclusions 283For the reasons set out at paragraphs 253, 271 and 282, Westpac contravened section 81 of the AML/CTF Act from 20 November 2013 to 20 November 2019 by commencing to provide designated services in circumstances where its Part A Program did not fully comply with the requirements of the AML/CTF Rules in significant respects. C.6 Ongoing Customer Due Diligence – contraventions of section 36 of the AML/CTF Act C.6.1 Customers 1 – 262 284For the reasons set out in paragraphs 285 to 316, from 20 November 2013 until 20 November 2019, Westpac's transaction monitoring program did not include sufficient risk-based systems and controls to monitor the risk that the provision of designated services to its customers might involve or facilitate the funding of CEM. 285At various times from 20 November 2013, each of the 262 Customers set out in Annexure C: (a)held one or more accounts with Westpac; and (b)conducted transactions on one or more such account within the meaning of item 3, table 1, section 6 of the AML/CTF Act. The SMRs prior to November 2019 Customers 1 to 11 286Prior to 20 November 2019, Customers 1, 2 and 4 to 11 were customers of Westpac. Customer 3 was a customer of Westpac until October 2019. Each of these customers held an account with Westpac and conducted transactions on this account within the meaning of item 3, table 1, section 6 of the AML/CTF Act.

287On and from the following dates, there were repeated patterns of frequent low value transactions on these accounts that were consistent with CEM typologies according to the guidance issued by AUSTRAC, or other regulatory or industry bodies, in relation to CEM risk (Guidance) available at the time (Relevant Transactions). These transactions were effected through multiple international payment channels. (a) Customer 1 – November 2013 (b) Customer 2 – November 2013 (c) Customer 3 – April 2016 (d)Customer 4 – November 2016 (e)Customer 5 – June 2015 (f)Customer 6 – May 2016 (g)Customer 7 – March 2016 (h)Customer 8 – May 2016 (i)Customer 9 – March 2018 (j)Customer 10 – March 2017 (k)Customer 11 – February 2019 288Westpac first identified activity on the accounts as indicative of typologies identified in the Guidance available at the time and gave the AUSTRAC CEO a CEM-related suspicious matter report (SMR) in relation to this activity as follows: (a)Customer 1 – 11 June 2019 (b)Customer 2 – 25 July 2018 (c)Customer 3 – 4 July 2019 (d)Customer 4 – 19 March 2018 (e)Customer 5 – 18 April 2019 (f) Customer 6 – 12 April 2018 (g) Customer 7 – 23 July 2018 (h) Customer 8 – 24 July 2018 (i)Customer 9 – 30 August 2019 (j)Customer 10 – 1 February 2019 (k)Customer 11 – 18 October 2019 289Had Westpac implemented appropriate transaction monitoring at the time of the Relevant Transactions, some or all of the transactions: (a)may have been identified prior to the date of the SMR at 288 as consistent with typologies according to the Guidance available at the time; and, if identified, (b)would have been the subject of investigation by Westpac's RFO Team in order to determine whether those transactions were 'false positives', in that they triggered the detection scenario but were, upon investigation, not indicative of CEM, and, if not 'false

positives', whether they gave rise to an obligation to give the AUSTRAC CEO an SMR pursuant to section 41 of the AML/CTF Act. 290Once Westpac had formed a suspicion of possible CEM, in accordance with paragraph 15.9 of the AML/CTF Rules, appropriate enhanced customer due diligence (ECDD) steps for the purposes of paragraph 15.10 of the AML/CTF Rules should have included: (a)a review of the complete customer relationship, including a review of all accounts held by the customer or to which the customer was a signatory; (b)a review or update of the customer’s 'know your customer' information; (c)escalation of the customer, and any related customer, suspected of CEM to determine whether to continue the business relationship with that customer; (d)if an ongoing relationship is approved, increased monitoring of the customer’s activity to identify, mitigate and manage any ongoing CEM risks; and (e)if an ongoing relationship is declined, the placing of restrictions on the types of transactions the customer could make, or advance account closure, to mitigate and manage ongoing CEM. 291Whilst Westpac undertook some ECDD in relation to Customers 1 to 11 after filing the SMR, the ECDD was not adequate. 292By reason of the matters set out in paragraphs 286 to 291, from the relevant dates identified in paragraph 287 until 20 November 2019, Westpac contravened section 36(1) of the AML/CTF Act with respect to each of Customers 1, 2, 4 to 11. 293By reason of the matters set out in paragraphs 286 to 291, from the date identified in paragraph 287(c) until October 2019, Westpac contravened section 36(1) of the AML/CTF Act with respect to Customer 3. Customer 12 294From April 2001 until 19 August 2019, Customer 12 was a customer of Westpac. From 2016, Customer 12 held accounts with Westpac (Customer 12 Accounts) and was conducting ongoing transactions on these accounts within the meaning of item 3, table 1, section 6 of the AML/CTF Act. 295On 4 June 2019, a manual alert was raised by a Westpac staff member who identified potentially suspicious activity through face-to-face interactions with Customer 12. The potentially suspicious activity concerned payments Customer 12 had made to the Philippines from one Customer 12 Account (First Customer 12 Account). As a result of this manual alert being raised, RFO conducted further investigations and identified, on 6 June 2019, that Customer 12 had a prior conviction for child exploitation offences. 296The RFO investigation resulted in Westpac giving the AUSTRAC CEO a CEM-related SMR in relation to activity on the First Customer 12 Account on 13 June 2019. 297Westpac decided to exit Customer 12 on 15 July 2019 and sent Customer 12 an exit letter on 17 July 2019. However, until the Customer 12 Accounts were closed on 19 August 2019, Customer 12 was able to transact on the Customer 12 Accounts without heightened restrictions in place.

298During the period 10 June 2019 to 19 August 2019, Customer 12 made nine low value transfers through one Customer 12 Account, which were consistent with typologies according to the Guidance available at the time (Customer 12 Transactions). 299Had Westpac implemented appropriate transaction monitoring at the time of the Customer 12 Transactions and conducted appropriate ECDD, some or all of the Customer 12 Transactions: (a)may have been identified as consistent with typologies according to the Guidance available at the time; and, if identified, (b)would have been the subject of investigation by Westpac's RFO Team in order to determine whether those transactions were 'false positives', in that they triggered the detection scenario but were, upon investigation, not indicative of CEM, and, if not 'false positives', whether they gave rise to an obligation to give the AUSTRAC CEO an SMR pursuant to section 41 of the AML/CTF Act. 300Once Westpac filed an SMR in relation to possible CEM, it undertook some, but not all, of the ECDD measures outlined at paragraph 290. Had Westpac promptly reviewed all accounts held by Customer 12 once it became aware of Customer 12’s conviction, Westpac would have identified ongoing transactions indicative of CEM and would have been in a position to take appropriate steps to stop this ongoing activity. 301By reason of the matters set out in paragraphs 294 to 300, Westpac contravened section 36(1) of the AML/CTF Act with respect to Customer 12 from June 2019 to 19 August 2019. The SMRs post November 2019 (Customers 13 – 260) 302In October 2019, Westpac extended its child exploitation automated transaction monitoring detection scenario to payments made via the SWIFT channel to the Philippines and by 24 November 2019, it had extended the scenarios to apply to additional South East Asian jurisdictions that pose a higher risk in relation to child exploitation. 303In December 2019, Westpac completed a review of all child exploitation transaction types for the Philippines, South East Asia and Mexico over the prior three year period to identify and report to the AUSTRAC CEO any further suspicious transactions or customers. 304Following the introduction of the new filters and following the three year review as described above, on and from late November 2019 Westpac gave the AUSTRAC CEO additional suspicious matter reports in relation to potential child exploitation, including in relation to Customers 13 to 260. 305On and from the dates specified in column B of Annexure C, there were repeated patterns of frequent low value transactions on each of these accounts that were consistent with CEM typologies according to the Guidance available at the time. These transactions were effected through multiple international payment channels. 306Westpac identified activity on the accounts as indicative of typologies identified in the Guidance available at the time and gave the AUSTRAC CEO a CEM-related SMR in relation to this activity on the date specified in column C of Annexure C. 307Had Westpac implemented appropriate transaction monitoring at the time of the Relevant Transactions, some or all of the transactions:

(a)may have been identified and notified to the AUSTRAC CEO in an SMR prior to the SMR specified in column C of Annexure C as consistent with typologies according to the Guidance available at the time; and, if identified, (b)would have been the subject of investigation by Westpac's RFO Team in order to determine whether those transactions were 'false positives', in that they triggered the detection scenario but were, upon investigation, not indicative of CEM, and, if not 'false positives', whether they gave rise to an obligation to give the AUSTRAC CEO an SMR pursuant to section 41 of the AML/CTF Act. 308By reason of the matters set out in paragraphs 302 to 307, from the relevant date identified in column B of Annexure C until the identification of the matters that led to the filing of the SMR specified in column C of Annexure C, Westpac contravened section 36(1) of the AML/CTF Act with respect to each of Customers 13 to 260. Customers 261 and 262 309From 12 March 1986 until 25 May 2018, Customer 261 was a customer of Westpac. From 12 March 1986, Customer 261 held accounts with Westpac (Customer 261 Accounts) and was conducting ongoing transactions on these accounts within the meaning of item 3, table 1, section 6 of the AML/CTF Act. 310From 17 September 2002 until 29 July 2020, Customer 262 was a customer of Westpac. From 17 September 2002, Customer 262 held accounts with Westpac (Customer 262 Accounts) and was conducting ongoing transactions on these accounts within the meaning of item 3, table 1, section 6 of the AML/CTF Act. 311Between 14 May 2014 and 10 April 2018, Customer 261 made 129 ATM withdrawals in South East Asia in amounts ranging from $37.04 to $477.11, and totalling $40,067.14. 312Prior to these transactions, Customer 261 had been arrested and remanded in custody for child exploitation related offences. This fact was unknown to Westpac at the time. 313Customer 261 was found guilty of child exploitation related offences in 2018. 314On 27 February 2018, Westpac gave the AUSTRAC CEO an SMR in relation to Customers 261 and 262 in connection with child exploitation, after Westpac identified that Customer 262 had been convicted of child exploitation related offences. 315Had Westpac conducted appropriate ongoing customer due diligence with respect to Customers 261 and 262, these child exploitation related suspicions could have been identified earlier. 316By reason of the matters set out in paragraphs 309 to 315, from: (a) 24 September 2014 until 25 May 2018, Westpac contravened section 36(1) of the AML/CTF Act with respect to Customer 261; and (b) January 2017, Westpac contravened section 36(1) of the AML/CTF Act with respect to Customer 262. D. FORMAL ADMISSIONS 317By reason of the matters set out above, Westpac makes the following admissions for the purposes of the Proceedings:

(a)Westpac contravened section 45(2) of the AML/CTF Act on 19,578,985 occasions by failing to give IFTIs to the AUSTRAC CEO within the time frame stipulated by section 45(2) of the AML/CTF Act, as identified in paragraphs 52, 87, 92, 102 and 114 above. (b)Westpac contravened section 64(7)(f) of the AML/CTF Act on 8,140 occasions by not including in the instruction to another institution in the funds transfer chain so much of the required transfer information as it had been given to it (as the interposed institution), as identified in paragraph 124. (c)Westpac contravened section 64(6) of the AML/CTF Act on 2,400 occasions by not including in the instruction to another institution in the funds transfer chain so much of the required transfer information as it had been given to it (as the ordering institution), as identified in paragraph 129. (d)Westpac contravened section 115(2) of the AML/CTF Act on 3,516,238 occasions by failing to retain a record of all the required transfer information for 7 years, as identified in paragraph 136. (e) Westpac contravened section 98(1) of the AML/CTF Act by not conducting an adequate Preliminary Risk Assessment on 48 occasions and section 98(2) of the AML/CTF Act by not conducting an adequate Due Diligence Assessment on 48 occasions, as identified in paragraph 223. (f)Westpac contravened section 81 of the AML/CTF Act from 20 November 2013 to 20 November 2019 in circumstances where its Part A Program did not fully comply with the requirements of the AML/CTF Rules, as identified in paragraphs 253, 271 and 282. (g)Westpac contravened section 36(1) of the AML/CTF Act by failing to monitor the below customers on the following occasions: (i)from the relevant dates identified in paragraph 287 until 20 November 2019 with respect to each of Customers 1, 2, 4 to 11, as identified in paragraph 292; (ii)from the relevant date identified in paragraph 287(c) until October 2019, with respect to Customer 3, as identified in paragraph 293; (iii)from June 2019 to 19 August 2019 with respect to Customer 12, as identified in paragraph 301; (iv)from the relevant date identified in column B of Annexure C until the identification of the matters that led to the filing of the SMR specified in column C of Annexure C with respect to each of Customers 13 to 260, as identified in paragraph 308; (v)from 24 September 2014 until 25 May 2018, with respect to Customer 261, as identified in paragraph 316; and (vi)from January 2017, with respect to Customer 262, as identified in paragraph 316. E. FACTS RELEVANT TO RELIEF E.1 Nature and extent of the contraventions E.1.1IFTI Reports – Contraventions of section 45 of the AML/CTF Act

318Westpac's admitted failure to give 19,502,841 IFTIs to the AUSTRAC CEO within the time frame specified by section 45(2) of the AML/CTF Act occurred in the circumstances described in paragraphs 46 to 109 above. Westpac's admitted failure to give 76,144 IFTIs to the AUSTRAC CEO that contained payer names, as required by section 45(2) of the AML/CTF Act, occurred in the circumstances described in paragraphs 110 to 115 above. At the time of the first relevant contravention in November 2013, a contravention carried a maximum penalty of $17 million. This maximum penalty increased to $18 million on 1 August 2015 and to $21 million on 1 July 2017. 319None of the contraventions was the result of any deliberate intention to breach the AML/CTF legislation. 320This was in circumstances where there were opportunities to prevent and detect the non-reporting and, when it was identified, failures to escalate it, including the following. (a)In late 2011, Westpac received a number of queries from AUSTRAC relating to its IFTI reporting. These queries prompted the preparation of a report by Group AML/CTF entitled 'Westpac's International Funds Transfer Instructions (IFTIs) reporting solution' (the 2013 IFTI Report). The 2013 IFTI Report purported to, among other things, 'assess Westpac's IFTI solution within Detica for any compliance gaps with our IFTI reporting obligations and to identify improvement opportunities'. It included the following finding, but did not identify the non-reporting: Our review of structured IFTIs indicate that the structured IFTI reporting solution in Detica was implemented in a short amount of time, without the Project having an adequate understanding of reportable details in an IFTI and the criteria for a payment instruction to be reportable. This led to a number of gaps in the design of the structured IFTIs solution. […] A number of gaps were found to be present in Westpac's structured IFTIs, ranging from data quality, incorrect usage of XML tags, incorrect information populated in XML tags, and incorrect definitions of reportability. It is strongly recommended that additional analysis and assessment is performed on structured IFTIs and appropriate fixes put in place to rectify the compliance gaps identified. (b)In July 2013, AUSTRAC undertook a review of Westpac's compliance with certain obligations, including in relation to IFTI reporting. One of AUSTRAC's recommendations was that Westpac perform a review of payment instructions not reported to AUSTRAC. This recommendation from AUSTRAC was the basis for a review undertaken by Group Assurance that culminated in the provision to AUSTRAC on 30 June 2014 of a 'Group Assurance Report – AML/CTF International Funds Transfer Instructions Reporting – Audit' (the 2014 Group Assurance Report). The relevant non-reporting was not identified in preparing the 2014 Group Assurance Report. (c)The 2014 Group Assurance Report included a 'Management Action Plan', which generated ongoing work by Group Assurance through 2014 and 2015, which did not identify the non-reporting. (d)In early 2016, a team within GTS commenced a project known as the “ACM Remediation Project”, prompted by an awareness within GTS of potential AML/CTF compliance issues (including in relation to IFTIs in respect of the ACM arrangements; however, not in relation to the non-reporting of IFTIs to the AUSTRAC CEO). During the course of the ACM Remediation Project, on 22 May 2017, a GTS Associate Director emailed the Team

Lead in the Digital Transformation Technology (DTT) team asking which of certain banks’ incoming IFTIs were being reported to the AUSTRAC CEO. The DTT Team Lead responded that same day that all of those banks’ incoming IFTIs were being reported to the CEO of AUSTRAC except for Bank B. This was not brought to the attention of senior management. (e)On 8 August 2017, the General Manager of GTS requested an urgent review of the completeness of IFTI reporting within GTS. This request prompted significant activity in a short time period. In the course of that activity: (i)other employees became aware of the Bank B non-reporting; and (ii)one DTT employee within GTS identified that IFTIs in respect of the ACM arrangement with Bank A were not being reported to the AUSTRAC CEO; however, at the time that employee did not appreciate what he had identified. Notwithstanding the above, non-reporting was not brought to the attention of the Group MLRO or senior management within the financial crime control functions (including the General Manager of GTS). 321It was not until May 2018 that the Group MLRO became aware of these issues, following which urgent steps were taken to escalate the matter, including taking it to Westpac's Regulatory Disclosure Forum on 25 July 2018 and reporting it to the AUSTRAC CEO on 15 August 2018. 322Since these contraventions were identified, Westpac has undertaken a range of further enhancements in respect of its IFTI reporting, as identified in E.7 below. 323The 19,502,841 contraventions of section 45 relating to the late IFTIs and the 76,144 contraventions of section 45 relating to the failure to include payer names in IFTIs were serious because: (a)Westpac did not have appropriate end-to-end reconciliation, assurance and oversight processes to ensure that it was reporting IFTIs to the AUSTRAC CEO in accordance with its obligations under section 45 of the AML/CTF Act. (b)Westpac did not identify that over 72% of all incoming IFTIs received by Westpac for the period 5 November 2013 to 3 September 2018 had not been reported. (c)Westpac’s assurance processes to identify non-compliance with IFTI reporting were inadequate, particularly in relation to IFTIs that were processed through non-SWIFT payment systems. Westpac did not have adequate controls in place to identify the requirement to report IFTIs in relation to Ordering Institution A. Nor did Westpac have appropriate assurance processes in place to identify non-SWIFT IFTIs that did not include a payer name. (d)As a result of the failure to file the IFTIs on time, AUSTRAC, the Australian Taxation Office (ATO) and other law enforcement agencies have been deprived of timely information relating to over $11 billion in international payments for up to 6 years. (e)Late reporting delays and hinders law enforcement efforts. (f)IFTI information facilitates the tracking of off-shore movements of funds relating to offences such as money laundering, terrorism financing, cyber-crime, child exploitation and other crime. Given that international payments systems allow money to move quickly, late IFTIs compromises the ability of law enforcement to trace money and to investigate page 59

and prosecute serious crimes. Late IFTIs also delay law enforcement’s ability to identify and stop ongoing crime. (g)As the international payments system allows money to move quickly, late IFTIs can also compromise the ability of law enforcement to trace and recover the proceeds of crime. (h)IFTIs assist in the process of revenue collection. Of the IFTI reports lodged late by Westpac, over 5.7 million transactions fall outside of the statutory limits the ATO operates under in respect to taking corrective action against taxpayers who have lodged tax returns. The value of the reported funds in respect to these transactions is $2.9 billion. (i)Of the 2,314 IFTI reports lodged late relating to LitePay: (i)18 related to 7 of the first 12 customers with respect to whom Westpac had identified transactions suspected to be indicative of child exploitation; and (ii)19 related to customers 27, 41, 45, 68, 81, 104, 127, 139, 160, 186, 210 and 221 with respect to whom Westpac had identified transactions suspected to be indicative of child exploitation (j)AUSTRAC, the ATO and other law enforcement were not given timely intelligence in relation to those 37 international transfers. During the Relevant Period, Westpac reported to AUSTRAC approximately 4,773 IFTIs relating to the 262 customers within 10 days of the relevant international transfers taking place. (k)76,144 IFTI reports, totalling $82,731,499, did not include the payer name, as required by the AML/CTF Act and AML/CTF Rules. As a result, AUSTRAC does not have information about the origin of this transferred money. Information about the origin of funds is critical to enable AUSTRAC, the ATO and other law enforcement agencies to follow money that may be connected to unlawful activity. The absence or loss of information about the origin of funds significantly compromises investigations and prosecutions. E.1.2Information about the origin of the transferred money – contraventions of Part 5 of the AML/CTF Act 324Westpac's admitted failure to: (a)pass on some or all of the required transfer information to another institution in relation to 8,140 IFTIs Westpac transmitted out of Australia, in contravention of section 64(7)(f) of the AML/CTF Act; and (b)pass on complete payer information to another institution in relation to 2,400 IFTIs, in contravention of section 64(6) of the AML/CTF Act, occurred in the circumstances described in paragraphs 116 to 130 above. At the time of the first relevant non-compliance in January 2014, a contravention carried a maximum penalty of $17 million. This maximum penalty increased to $18 million on 1 August 2015 and to $21 million on 1 July 2017. 325None of the contraventions was the result of any deliberate intention to breach the AML/CTF legislation. 326Since these contraventions were identified, Westpac has undertaken a range of measures to ensure that it is passing on all necessary information, as identified in E.7 below. 327The contraventions are serious because:

(a)Westpac did not have appropriate processes to ensure compliance with section 64 of the AML/CTF Act. (b)The required transfer information was held by Westpac or other Australian financial institutions and was readily accessible by Westpac. (c)Westpac’s processes did not identify these systemic failures for over 5 years. (d)Full transparency of the origin of funds is essential for other financial institutions in funds transfer chains to identify, mitigate and manage their own ML/TF risks. Westpac’s failure to pass on the required transfer information may have impacted the ability of other financial institutions to manage ML/TF risk. (e)Information about the origin of funds is critical to enable AUSTRAC, the ATO and other law enforcement agencies to follow money that may be connected to unlawful activity. It is critical that information about the origin of funds be included in all payment instructions and that it be readily available to law enforcement and other agencies. The absence of payment transparency delays and inhibits the investigation and prosecution of offences. E.1.3Making and retaining records – contraventions of section 115 of the AML/CTF Act 328Westpac's admitted failure to retain for 7 years records of so much of the required transfer information as was passed onto Westpac in relation to the 3,516,238 transfer instructions referred to in paragraph 131 above occurred in the circumstances described in paragraphs 131 to 137 above. 329None of the contraventions was the result of any deliberate intention to breach the AML/CTF Act. 330Further, as described in paragraph 137 above, these contraventions occurred as a result of systems that have now been wholly replaced, or as a result of configuration issues in current systems that have been identified and fixed. 331The contraventions are serious because: (a)Proper record keeping is essential to AML/CTF risk management and compliance. (b)Westpac’s IT change management and assurance processes did not identify failures to retain backup files for over 6 years. (c)The lost records related to the origin of over 3.5 million incoming international transactions. (d)AUSTRAC, the Commissioner of Taxation and other law enforcement agencies are entitled to request information about incoming IFTIs, including in relation to the origin of funds. The record keeping obligations in section 115 of the AML/CTF Act support this statutory entitlement. (e)Information about the origin of funds is critical to enable AUSTRAC, the ATO and other law enforcement agencies to follow money that may be connected to unlawful activity. E.1.4Correspondent Banking Due Diligence – contraventions of section 98 of the AML/CTF Act 332Westpac's admitted failure to comply with section 98 of the AML/CTF Act in relation to the Preliminary Risk Assessments and Due Diligence Assessments undertaken in respect of its correspondent banking relationships occurred in the circumstances described in paragraphs 138 to 223 above. At the time of the first contravention in November 2013, a contravention carried a page 61

maximum penalty of $17 million. This maximum penalty increased to $18 million on 1 August 2015 and to $21 million on 1 July 2017. 333Despite the admitted contraventions referred to in sections C.4.3 and C.4.4 above, those contraventions, while serious, were not the result of any deliberate intention to breach the AML/CTF Act. Westpac believed that it was compliant with the AML/CTF Act in respect of its correspondent banking due diligence obligations. This belief was reasonable given: (a)in 2012 Westpac received confirmation from an external review that its processes addressed the requirements in the AML/CTF Act and the AML/CTF Rules in relation to correspondent banking and that those processes were operating as designed. The relevant provisions in the AML/CTF Act and the AML/CTF Rules have not changed materially since this review; (b)second line assurance testing and third line Group Audit reports that considered correspondent banking due diligence processes and procedures during the Relevant Period did not identify non-compliance with the AML/CTF Act or AML/CTF Rules; and (c)in 2016, AUSTRAC conducted an assessment of Westpac's compliance with its correspondent banking due diligence obligations, including section 98 of the AML/CTF Act. In its report on 15 December 2016, AUSTRAC made seven recommendations 'for Westpac to consider in enhancing its compliance with the AML/CTF Act and the [AML/CTF Rules]', but did not identify any non-compliance with the AML/CTF Act or the AML/CTF Rules. The recommendations and Westpac's response are described in paragraph 393 below. 334In particular, and evidencing Westpac’s intention to comply with the AML/CTF Act, as explained in paragraphs 138 to 223 above: (a)Westpac had procedures requiring that Preliminary Risk Assessments and Due Diligence Assessments be conducted, and a system directed to achieving this, as reflected in the CB Standard and CB Procedures Manual; (b)while its Preliminary Risk Assessments and Due Diligence Assessments in respect of the correspondent banks were conducted regularly, they were deficient in some respects; and (c)during the period of the contraventions, Westpac introduced significant improvements to its CB Standard and CB Procedures Manual, including establishment of the CBDDC in 2017 to uplift the CB Procedures Manual and improve correspondent banking governance. 335However, these contraventions are serious for the following reasons: (a)correspondent banking relationships present higher ML/TF risks associated with cross-border movements of funds, jurisdiction risk (including the risks of operating in certain foreign countries) and risks associated with the transparency of the identity and source of funds of customers of the correspondent banks; (b)the requirement to undertake regular Preliminary Risk Assessments and Due Diligence Assessments of correspondent banking relationships is a central aspect of the AML/CTF regulatory regime, as well as being a key element of Westpac's AML/CTF Program. It

provides an appropriate means for ensuring that the reporting entity is in a position to identify, mitigate and manage its ML/TF risks; (c)appropriate risk-based monitoring over vostro accounts is a key requirement of the correspondent banking due diligence obligation. Without appropriate monitoring of vostro accounts, although Westpac did monitor MT103 instructions, Westpac was not in a position to understand fully the ongoing ML/TF risks posed by its correspondent banking relationships. Nor was it in a position to understand fully the ongoing ML/TF risks of the payments flowing through the vostro accounts; (d)further to the context set out in paragraph 333(c), in December 2016 AUSTRAC made seven recommendations for Westpac to consider in enhancing its compliance with the AML/CTF Act and the AML/CTF Rules in relation to correspondent banking due diligence. While Westpac took steps to address the recommendations, the steps it took did not adequately address AUSTRAC's recommendations; (e)flaws in the design and implementation of the correspondent banking due diligence assessment processes could have been identified and addressed earlier had Westpac had stronger first line testing, second line oversight and assurance, and third line audit coverage; (f)Westpac did not always have appropriate processes to monitor whether transactions being processed through its correspondent banking relationships were consistent with its risk appetite; and (g)Westpac’s correspondent banking relationships allowed foreign institutions to operate within its banking environment and within the Australian payments system. The failure of Westpac to appropriately monitor vostro and Direct ACM arrangement payment flows increased the exposure of Westpac, the Australian payments system, and some international payments channels to ML/TF risks. 336Since and during the time of these contraventions, Westpac has undertaken a range of further enhancements in respect of its CB Standard and CB Procedures Manual, as set out in paragraphs 393 and 394 below E.1.5AML/CTF Program 337Westpac contravened section 81 of the AML/CTF Act from 20 November 2013 to 20 November 2019 by commencing to provide designated services in circumstances where its Part A Program did not, for the reasons set out at paragraphs 253, 271 and 282, fully comply with the requirements of the AML/CTF Rules. Each time Westpac commenced to provide a designated service during that period, it contravened section 81 of the AML/CTF Act. The contraventions are significant in number but too numerous to quantify. The maximum penalty for each contravention ranges from $17 million to $21 million. E.1.5.1 Failure to identify, mitigate and manage ML/TF risks – ML/TF risk assessments and risk-based controls 338These contraventions are serious because: (a)The AML/CTF Act reposed a high degree of trust in Westpac to identify, mitigate and manage the ML/TF risks of its own business.

(b)The AML/CTF Program is the principal document for setting out the risk-based systems and controls that are required to ensure compliance with the AML/CTF Act and the AML/CTF Rules. The issues with Westpac’s ML/TF risk management models and risk-based controls in its Part A AML/CTF Program described in paragraph 253 above persisted for a number of years. (c)The requirement to carry out and maintain current ML/TF risk assessments of designated services is central to the AML/CTF Program and to the AML/CTF Act. (d)In order to appropriately mitigate and manage its ML/TF risk and have appropriate risk-based controls, as required by the AML/CTF Act, Westpac must first identify and assess the ML/TF risks it reasonably faces. (e)Westpac’s international payments business involves known higher ML/TF risks. Westpac’s failure to appropriately identify, mitigate and manage the ML/TF risks of the vostro accounts, ACM arrangements, and OSBSB arrangements has resulted in inadequate controls, and in some cases reduced transparency, in relation to some international payment flows. (f)Reduced payment transparency undermines the reputation, integrity and security of the Australian and global payments systems. (g)Reduced payment transparency limits the ability of AUSTRAC, the ATO and law enforcement to trace the origin, purpose and character of funds. (h)Over 5.7 million late IFTI reports involve transactions totalling AUD 2.9 billion that fall outside of the statutory limits the ATO operates under in respect of taking corrective action against taxpayers who have lodged tax returns. Westpac’s failures to lodge IFTI reports on time and, in some cases, complete IFTIs, has risked undermining the Australian taxation system. (i)Westpac’s failure to appropriately identify and manage all ML/TF risks from international payment flows and to appropriately monitor these transactions for suspicious activity has resulted in the loss of opportunity to detect, trace and disrupt possible unlawful activity, including possible child exploitation, money laundering, terrorism financing and tax offences. (j)The OSBSB arrangements allowed certain domestic and overseas branches of the account holder direct access to Westpac’s banking environment and payment systems but did not have adequate risk-based systems and controls in place. (k)Westpac’s OSBSB arrangements also permitted cash deposits below $10,000 at branches by persons whose identity could have been unknown and not verified, although such deposits were subject to the controls described at paragraph 269 above. (l)Reduced payment transparency with the Direct ACM arrangements with Banks A and F undermined Westpac’s ability to give IFTI reports to the AUSTRAC CEO that contained all the information required by the AML/CTF Rules (m)While Westpac conducted some independent review in relation to its Part A Program in the period 2014 to 2017, it did not conduct a review that fully met the requirements of Part 9.6 of the AML/CTF Rules until 2018. This limited its ability to identify these deficiencies.

E.1.5.2 Transaction monitoring program 339These contraventions are serious because: (a)The AML/CTF Act reposed a high degree of trust in Westpac to monitor transactions, having regard to the ML/TF risks of its own business. (b)Appropriate risk-based transaction monitoring is central to ensuring that matters that may be suspicious for the purposes of section 41 of the AML/CTF Act are identified and reported to AUSTRAC and law enforcement. Appropriate risk-based transaction monitoring is central to Westpac’s understanding of its own ML/TF risks, including emerging risks. (c)In mid-2015, Group Audit prepared an audit report that included an issue raised by WIB Financial Crime regarding deficiencies in the Group’s transaction monitoring program with regard to the monitoring of certain transactions, including international transactions. The Group Audit report included a management action plan, which required a detailed analysis of the current state of the transaction monitoring program to determine the extent of gaps. In August 2015, Enterprise Financial Crime circulated a memorandum outlining the current scope of Westpac's transaction monitoring program. Over the course of 2016 and 2017, Westpac took actions to address transaction monitoring issues in other jurisdictions. In August 2017, gaps in the transaction monitoring program were again identified. (d)Westpac did not appropriately monitor aspects of its international payment flows in the billions of dollars that carried higher ML/TF risks, including risks associated with tax offences and child exploitation. This failure exposed the Australian financial system and Australian system to these risks. (e)Payment flows through vostro accounts carry higher ML/TF risks which must be subject to appropriate risk-based monitoring to protect the integrity of the Australian payments system. For several years, Westpac failed to appropriately monitor these international payment flows. (f)If transactions are not appropriately monitored, unusual or suspicious activity cannot be identified and reported to AUSTRAC. Westpac’s failure to appropriately monitor billions of dollars of international payment flows could have impacted the ability to identify and disrupt possible suspicious activity. (g)While Westpac conducted some independent review in relation to its Part A Program in the period 2014 to 2017, it did not conduct a review that fully met the requirements of Part 9.6 of the AML/CTF Rules until 2018. This limited its ability to identify these deficiencies. (h)In the case of the failure to adequately monitor for indicators of CEM typologies: (i)In December 2013, AUSTRAC published typologies on the child exploitation risks of low value payments to the Philippines, which were available to Westpac. From May 2016, senior members of Westpac's financial crime function were aware of heightened CEM risks associated with low value payments to the Philippines. Some senior members of Westpac's financial crime function were also aware of the fact that CEM specific detection monitoring was not being applied across non-LitePay international payment products that facilitated such payments. Whilst senior management were advised that heightened risks associated with low value page 65

payments were recently highlighted in the Report on the Statutory Review of the AML/CTF Act, they were not advised that the Report referred to heightened risks related to child exploitation. Nor was the Board advised of heightened CEM risks connected with LitePay; (i)Westpac did not have appropriate and timely regard to all Guidance; and (ii)in the absence of appropriate risk-based transaction monitoring, Westpac was not in a position to identify all transactions potentially indicative of CEM typologies. (i)Westpac should have implemented more appropriate transaction monitoring than it did. This may have generated more suspicious matter reports to AUSTRAC. E.1.5.3 Systems and controls for IFTI reporting 340These contraventions are serious because: (a)Westpac did not have appropriate end-to-end reconciliation, assurance and adequate oversight processes to ensure that it was reporting IFTIs to AUSTRAC on time and with complete payer information where it had an obligation to do so under section 45 of the AML/CTF Act. (b)Westpac did not identify that over 72% of all incoming IFTIs received by Westpac for the period 5 November 2013 to 3 September 2018 had not been reported. (c)In June 2014, Group Audit identified that there was inadequate end-to-end understanding, documentation and monitoring over the IFTI reporting process. Management undertook a number of actions to address the issues raised by Group Audit, which led to Group Audit closing the issue in January 2016. However, weaknesses in Westpac's data management and technology systems in relation to AML/CTF compliance persisted. (d)As a result of the failure to file the IFTIs on time, AUSTRAC, the ATO and other law enforcement agencies have been deprived of timely information relating to over $11 billion in international payments for up to 6 years. (e)IFTIs assist in the process of revenue collection. Of the IFTI reports lodged late by Westpac, over 5.7 million transactions fall outside of the statutory limits the ATO operates under in respect to taking corrective action against taxpayers who have lodged tax returns. The value of the reported funds in respect to these transactions is $2.9 billion. (f)Late IFTI reporting delays and hinders law enforcement efforts. Timely access to IFTI information facilitates the tracking of off-shore movements of funds resulting from tax evasion and other crime, and assists in the process of revenue collection and the recovery of proceeds of crime. (g)Reduced payment transparency with the Direct ACM arrangements with Banks A and F undermined Westpac’s ability to give IFTI reports to the AUSTRAC CEO that contained all the information required by the AML/CTF Rules. (h)As Westpac did not always obtain full information about payers as required to be included in IFTI reports, the ability to identify possible suspicious conduct has been compromised or lost. (i)Of the 2,314 IFTI reports lodged late relating to LitePay:

(i)18 related to 7 of the first 12 customers with respect to whom Westpac had identified transactions suspected to be indicative of child exploitation; (ii)19 related to customers 27, 41, 45, 68, 81, 104, 127, 139, 160, 186, 210 and 221 with respect to whom Westpac had identified transactions suspected to be indicative of child exploitation; (j)AUSTRAC, the ATO and other law enforcement were not given timely intelligence in relation to those 37 international transfers. During the Relevant Period, Westpac reported to AUSTRAC approximately 4,773 IFTIs relating to the 262 customers within 10 days of the relevant international transfers taking place. E.1.6Ongoing Customer Due Diligence – contraventions of section 36 of the AML/CTF Act 341These contraventions are serious because: (a)Westpac’s failure to conduct appropriate ongoing customer due diligence in relation to the 262 customers was systemic and occurred over a number of years. (b)Some Guidance on CEM typologies had been available to Westpac at all times during the Relevant Period. In December 2016, AUSTRAC provided reporting entities, including Westpac, with methodology briefs detailing the key indicators for the purchase of livestreaming child exploitation material, involving international funds transfer instructions to the Philippines and South East Asia. (c)Given the serious nature of CEM risks, it is important for Westpac and other reporting entities to ensure that they have appropriate risk-based controls for transaction monitoring and enhanced customer due diligence with respect to these risks (d)Had Westpac appropriately monitored its customers in relation to CEM, it may have identified activity indicative of CEM sooner. Had this activity been identified sooner, it could have been reported to AUSTRAC and law enforcement sooner, through SMRs. Had this activity been identified sooner, Westpac would have been in a position to undertake additional steps to identify, mitigate and manage the risks of ongoing CEM. In some cases, Westpac could have reported customers to AUSTRAC a number of years earlier. (e)Westpac failed to identify activity potentially indicative of child exploitation risks by failing to implement appropriate transaction monitoring detection scenarios. Three of the customers the subject of these proceedings had prior convictions relating to child exploitation offences. AUSTRAC advises that one of these customers has been arrested in relation to further child exploitation offences since the commencement of these proceedings. AUSTRAC advises that other customers are being assessed further for possible investigations. E.2 Loss or damage suffered 342Westpac is a large corporation operating in an industry with known ML/TF risks. The AML/CTF Act reposes a high degree of trust in Westpac to identify, mitigate and manage the ML/TF risks of its own business. Financial service providers play an important role in combating financial crime. 343It is essential to the integrity of the Australian financial and payments system that a major bank such as Westpac has compliant and appropriate risk-based systems and controls in place to

identify, mitigate and manage ML/TF risk when providing designated services. Organised crime puts the financial sector and the community at risk of harm and undermines the trust Australians put in our financial institutions. 344It is also essential to the Australian and global financial systems that international payment instructions are transparent and that the higher ML/TF risks of correspondent banking relationships are appropriately managed. 345Money laundering is fundamentally about obscuring the origin and destination of funds. For this reason, payment transparency is one of the basic foundations of AML/CTF risk management and compliance. Payment systems that are not transparent can be exploited by organised crime, can facilitate tax offences and can impede law enforcement investigations. 346A lack of transparency with international payments that pass through the Australian payments system exposes global payments systems to the same risks. This also undermines the integrity, safety and reputation of the Australian payments system. 347It is critical to ensuring payment transparency that the senders or recipients of IFTIs file reports of these instructions with AUSTRAC in a timely and complete manner. 348Correspondent banking relationships present higher ML/TF risks associated with cross border movements of funds, jurisdiction risk (including the risks of operating in certain foreign countries) and risks associated with the transparency of the identity and source of funds of customers of the correspondent banks. Westpac allowed foreign institutions to operate within its banking environment and within the Australian payments system without appropriate due diligence, risk assessments and monitoring. Westpac’s failures have exposed Westpac, the Australian payments system, and some international payment channels to greater ML/TF risks including in relation to low value payments, which do not always involve inherently low ML/TF risks. Westpac’s failures have also exposed people to the risks of serious crime. 349The late and, in some cases, incomplete IFTI reports, have deprived AUSTRAC, law enforcement and the ATO of intelligence to which they are entitled involving movements of over $11 billion dollars in international payments over many years. As the international payments system allows money to move quickly, late and incomplete IFTI reports result in a lack of transparency in relation to the payments, compromising the ability of law enforcement to trace money, to investigate and prosecute serious crime and to recover the proceeds of crime. 350Over 5.7 million late IFTI reports involve transactions totalling AUD 2.9 billion that fall outside of the statutory limits the ATO operates under in respect of taking corrective action against taxpayers who have lodged tax returns. Westpac’s failures to lodge IFTI reports on time and, in some cases, complete IFTIs, has risked undermining the Australian taxation system. 351Westpac’s failure to pass on information about the origin of transferred money to other financial institutions in funds transfer chains reduced transparency in relation to these payments and may have impacted the ability of those other financial institutions to manage ML/TF risk. The absence of readily available information about the origin of funds transfers may compromise the ability of law enforcement and the ATO to investigate and prosecute serious crimes. 352Westpac’s failure to appropriately identify all ML/TF risks from international payment flows and to appropriately monitor these transactions for suspicious activity has resulted in the loss of opportunity to detect and disrupt possible unlawful activity, including possible child exploitation, money laundering, terrorism financing and tax offences.

353Westpac failed to identify activity potentially indicative of child exploitation risks by failing to implement appropriate transaction monitoring detection scenarios. Three of the customers the subject of these proceedings had prior convictions relating to child exploitation offences. AUSTRAC advises that one of these customers has been arrested in relation to further child exploitation offences since the commencement of these proceedings. AUSTRAC advises that other customers are being assessed further for possible investigations. E.3 Prior contraventions 354Westpac has not previously been found to have engaged in any contravention of the AML/CTF Act. E.4 Westpac's size and financial position 355Westpac reported a Net Profit for the full year ending 30 September 2019 of approximately $6,790 million. Of this, approximately 70% was returned to shareholders through dividends with the balance reinvested. Westpac reported a Net Profit for the half year ending 31 March 2020 of approximately $1,190 million. 356Westpac maintains approximately 1,140 branches, servicing approximately 14.2 million customers. Westpac employs approximately 33,300 people. 357Reflecting its scale, size of customer base and geographic spread of operations, at all material times Westpac has operated numerous and complex computer and management systems and controls. E.5 Board and senior management involvement 358The contraventions set out above were not a consequence of any deliberate intention to contravene the AML/CTF Act. At all times the Westpac Board and senior management sought to ensure that Westpac would comply with its obligations under the AML/CTF Act. 359Westpac acknowledges that the AML/CTF Rules require ongoing oversight of Part A of Westpac’s Program by the Board and senior management, and that the primary purpose of Part A is to identify, mitigate and manage ML/TF risk. 360Westpac acknowledges that its Board and senior management are responsible for seeking to ensure the Westpac Group manages the ML/TF risks faced by its business. 361During the Relevant Period, Westpac’s Board and senior management sought and received regular and detailed reports in relation to Part A of Westpac's Program and the identification, mitigation and management of ML/TF risks reasonably faced by Westpac from personnel with direct responsibility and oversight of the AML/CTF function. Where issues were identified, the Board and senior management sought to ensure these issues were addressed. 362Despite those steps, Westpac now acknowledges that for much of the Relevant Period: (a)the reporting to the Board and senior management on AML/CTF compliance and the identification, mitigation and management of ML/TF risk reasonably faced by Westpac lacked completeness and sufficient insight; (b)while Westpac's AML/CTF risk management framework was subject to some independent reviews by its internal audit function and by third party experts, Westpac did not complete an independent review that satisfied all of the requirements of Part 9.6.5 of

the AML/CTF Rules which are for the purposes of assessing the Part A Program's compliance and effectiveness; (c)some areas of ML/TF risk were insufficiently understood within key areas of Westpac; (d)there was, at times, a lack of sufficient speed in addressing instances where Westpac identified that it was operating outside of its ML/TF risk appetite; (e)there was a lack of sufficient clarity and understanding within Westpac as to the particular accountabilities between the three lines of defence responsible for financial crime controls; (f)the AML/CTF compliance and risk management functions were not adequately resourced; (g)there were weaknesses in Westpac's data management and technology systems in relation to AML/CTF compliance; (h)amendments to Westpac's Part A Program were approved by senior management committees, with the result that the Board did not have complete oversight over that process; and (i)AML/CTF compliance and risk management was not as rigorous as it should have been. 363Westpac’s Board and senior management oversaw a range of measures directed at improving its AML/CTF function and the identification, mitigation and management of ML/TF risks, including the measures outlined at E.7 below. These improvements were directed at addressing, among other things, the shortcomings listed at paragraph 362 above. 364Many of the improvements occurred from 2017 onwards. Westpac now acknowledges that improvements could and should have been made earlier. 365In recognition of the importance of compliance with Westpac's AML/CTF obligations and the significance of the breaches which are the subject of the proceedings, consequences were applied to a number of members of Westpac staff and senior management. E.6 Cooperation with AUSTRAC and contrition 366At all times throughout the Relevant Period and since, Westpac has invested in building a productive, cooperative and transparent relationship with AUSTRAC, including through collaboration and information sharing. This has ranged from informal updates to regular progress meetings at which Westpac provided updates to AUSTRAC on the status of various projects being undertaken by Westpac to uplift its AML/CTF policies, controls and procedures. 367Westpac's cooperation and collaboration with AUSTRAC has included its involvement in the Fintel Alliance, of which Westpac was a founding member and is a member of the Fintel Alliance Strategic Advisory Board. The Fintel Alliance is a public-private partnership launched in 2017 that brings together a range of organisations involved in the fight against money laundering, terrorism financing and other serious crime. 368AUSTRAC’s investigation into Westpac and the matters the subject of these Proceedings commenced following a voluntary self-report by Westpac on 15 August 2018 of identified IFTI non-reporting. This voluntary self-report was made promptly upon senior management becoming aware of the issue.

369Following the identification of the IFTI non-reporting in respect of the ACM arrangements, Westpac responded quickly to identify root causes and scope a remediation program. Westpac attended frequent meetings with AUSTRAC in late 2018 and 2019 to update AUSTRAC on progress of the remediation program. 370At all times since August 2018, Westpac has cooperated with AUSTRAC in respect of its investigation and engaged constructively with AUSTRAC in relation to responding to the Statement of Claim. In particular, and in addition to the remediation, corrective measures and enhancements discussed in section E.7. below Westpac has: (a)continued to work cooperatively with AUSTRAC on matters relating to AUSTRAC’s ongoing supervisory role and in the conduct of the Proceedings; (b)following the commencement of the Proceedings: (i)promptly expressed contrition and its desire to work with AUSTRAC to resolve the Proceedings; (ii)responded to AUSTRAC's extensive requests for further information and documents; (iii)initiated communication with AUSTRAC in relation to the mediation and participated in the mediation process; and (iv)entered all of the admissions in Section D above at the earliest available opportunity. 371Further, Westpac: (a)agrees that money laundering and terrorism financing undermine the integrity of the Australian financial system and impact the Australian community's safety and wellbeing; (b)acknowledges that, as a bank, Westpac plays a key role in combating money laundering and terrorism financing; (c)accepts its accountability for the admitted contraventions; (d)expresses its deep regret for those contraventions; and (e)acknowledges the significant impact that deficiencies in its systems and processes can have on efforts to combat money laundering and terrorism financing. E.7 Remediation, corrective measures and enhancements E.7.1Outline of activities directed to AML/CTF enhancements 372Westpac has advised AUSTRAC that it has undertaken the following activities. 373Since 2014 Westpac has spent $632 million on financial crime compliance (including AML/CTF compliance), and has made improvements to its technology platforms, personnel, processes and procedures. 374Reflecting its scale, size of customer base and spread of geographic operations, the systems and controls that support Westpac's AML/CTF compliance are of such a scale and complexity that effecting changes, upgrades and enhancements is necessarily time consuming and work must be undertaken carefully having regard to achieving the optimal outcomes and the possibility of unintended consequences.

375In 2015, Westpac commenced a review of its financial crime IT system, Detica, which led to Program Shield, a program to upgrade this system to facilitate a more efficient and coordinated approach to financial crime management, including transaction monitoring and sanctions screening. Given, its scale and complexity, the design and implementation activities associated with the project have occurred over a number of years. Work commenced on the upgrade in 2016 and continues. In total, since 2015, Westpac has invested $78.37m in phases 1 to 3 for upgrades to Detica, with $55.2m approved in 2019 for Phase 4 through to FY 2021. 376Over a number of years, Westpac has made structural and resourcing changes to its first line and financial crime teams to facilitate a more consistent and effective approach to financial crime management across the Group. 377From 2015 to 2019, Westpac implemented numerous plans of work to identify and address issues relevant to AML/CTF compliance. In September 2017, an AML/CTF Working Group was established. The Working Group met on an almost monthly basis, received regular updates and tracked remediation of key AML/CTF issues until it was subsumed within broader financial crime work programs in 2018. 378From 2018, Westpac reframed its previous program of work into a broader integrated Financial Crime Strategy for the Group and commenced a significant project of work to implement this strategy (the Financial Crime Program). The Financial Crime Program currently comprises the following streams of work: (a)Operating Model & Governance; (b)Risk Assessments; (c)Know Your Customer; (d)Transaction Monitoring; (e)Customer and Transaction Screening; (f)Third Party Risk Improvement and Due Diligence; (g)Regulatory Reporting; (h)Correspondent Banking; and (i)Data Management and Improvement. 379Significant enhancements have also been made to, among others, the Risk Assessment Standard, Correspondent Banking Standard, TMP Standard and Regulatory Reporting Standard and their underlying processes and procedures. These enhancements are described in greater detail below. 380In 2017, WIB instituted its own program of work (named Project Emerald) to review and enhance its financial crime risk management framework and controls across the following individual workstreams – Global Standards, Customer Lifecycle Management, Regulatory Client Uplift, Risk Assessment, Reporting, Anti-bribery and corruption , Training and Awareness, Transaction Monitoring and Sanctions. 381Further improvements prior to the commencement of the Proceedings include: (a)a significant increase in the number of internal resources dedicated to financial crime, doubling the number in the past three years (2017 to 2019) to approximately 750 people as at November 2019, with a target of reaching 950 by the end of 2020; page 72

(b)the establishment of a Financial Crime Program Steering Committee in November 2018, which was sponsored by the Chief Risk Officer and the General Manager, Compliance. That has since been replaced by a Financial Crime Program Portfolio Control Group in July 2020, sponsored by the Group Executive, Financial Crime, Compliance and Conduct and Chief Transformation Officer, Financial Crime, Compliance and Conduct; (c)the appointment of a new Global Head of Financial Crime (Westpac's Money Laundering Reporting Officer) in April 2019, who since November 2019, has reported directly to the Group Chief Risk Officer (and now the Group Executive, Financial Crime, Compliance & Conduct) as a General Manager; and (d)the establishment of the Group Financial Crime Risk and Compliance Committee in October 2019, responsible for reviewing and monitoring the strength of the Financial Crime Framework. 382Since the Proceedings commenced, Westpac has advised AUSTRAC that it has continued to implement enhancements to its approach to AML/CTF compliance. 383The enhancements include: (a)the establishment of the Board Legal, Regulatory and Compliance Committee, which is responsible for overseeing, among other matters, financial crime, and succeeds the Board Financial Crime Committee, established in November 2019; (b)the appointment of a new role of Group Executive responsible for Financial Crime, Compliance and Conduct in May 2020; (c)engaging Promontory to provide external assurance to Westpac's Board over the design effectiveness of the Financial Crime Strategic Plan (and Westpac's program of work to implement that plan); (d)appointing an independent Advisory Panel to assess the Board's governance and accountability in relation to financial crime. The Advisory Panel made a number of recommendations which Westpac has accepted and included in its remediation program; (e)conducting an internal review of its financial crime governance model to clearly specify individual accountabilities and embed monitoring processes, and the financial crime assurance model to better define the three lines of defence model to ensure clarity of roles and responsibilities; (f)following Westpac's Culture, Governance and Accountability (CGA) re-assessment, Westpac has established a multi-year Customer Outcomes and Risk Excellence (CORE) Program, which is directed towards the management of non-financial risk; (g)developed and resourced a Monitoring and Testing team with an associated framework, dedicated to continuous testing of financial crime controls across Line 1 and Line 2; and (h)undertaking significant improvements to and a refresh of Westpac's financial crime training program for the Board, senior management and staff in relation to AML/CTF compliance. 384Westpac has also closed a number of the products that are the subject of the Proceedings, terminating the: (a)the ACM1 arrangements;

(b)the OSBSB arrangements with Bank B and Bank J; and (c)the LitePay product. 385Westpac has served notice to terminate the ACM2 and ACM3 arrangements, as well as its relationship with Ordering Institution A. 386Westpac has also made a number of enhancements specific to the areas of contravention as described below. E.7.2IFTI reporting contraventions 387Since Westpac self-reported the non-reporting of IFTIs to AUSTRAC, it has taken a number of actions to remediate the non-reporting, address root causes and improve its governance in relation to IFTI reporting, reconciliation processes and data quality. Those actions include: (a)Westpac engaged Promontory to perform a review of the non-reported IFTIs that Westpac received from Banks A, B, C and D through the ACM arrangements in place with those banks, as well as the non-reported IFTIs received by Westpac through the arrangements with Ordering Institution A, and the non-reported IFTIs sent by Westpac through the outgoing arrangements with Bank B. Promontory performed a lookback review in relation to these IFTIs to understand the ML/TF risk profile of these transactions. Westpac provided the Promontory reports to AUSTRAC. As a result of the analysis undertaken by Promontory, Westpac provided four SMRs to the AUSTRAC CEO. (b)In August 2018, Westpac established Project 106, an internal Westpac project to ascertain the scale of any IFTI non-reporting in respect of the Direct Model ACM arrangements, address any identified non-reporting by back-capturing non-reported IFTIs and providing those IFTI reports to AUSTRAC (and having that back-capture process subjected to external independent validations), and implemented additional processes and controls to facilitate IFTI reporting for those arrangements moving forward. All non-reported IFTIs referred to in C.1 above have now been reported to the AUSTRAC CEO. (c) In September 2018, Westpac commenced a detailed analysis of international payment flows involving Westpac’s financial institution clients (including financial institutions and non-bank financial institutions) outside of the ACM arrangements to determine whether any that were required to be reported as IFTIs were not in fact reported. (d)To ensure that non-reporting of IFTIs similar to that which occurred with respect to Ordering Institution A does not occur in the future, Westpac has updated its implementation review checklist to incorporate changes to counterparty details. This new checklist is a mandatory requirement for all new customer solution implementation requests, as well as requests to update existing customer solutions. (e)Westpac has ceased all Direct Model ACM arrangements with the following banks. In particular: (i)the Direct Model ACM arrangement with Bank A ceased on 12 November 2018; (ii)the Direct Model ACM arrangements with Bank D ceased on 31 January 2019; (iii)the Direct Model ACM arrangement with Bank C ceased 2 February 2019; and (iv)the Direct Model ACM arrangement with Bank B ceased on 4 February 2019.

(f)Westpac also: (i)ceased the OSBSB arrangements with Bank B on 30 September 2019 and Bank J on 10 January 2020; and (ii)closed the LitePay product in November 2019. (g)Westpac has implemented the following additional controls, which it continues to enhance: (i)an IFTI reporting reconciliation tool (implemented in 2019 and enhanced in 2020) to ensure all IFTIs sent or received by Westpac are reported to the AUSTRAC CEO within the time periods required by the AML/CTF Act. The tool reconciles transactions provided by source systems (such as SWIFT Alliance Messaging Hub, WIBS referrer and Qvalent) against those provided to Detica and AUSTRAC Online, and identifies any potential non-reporting issues that may require remediation actions; (ii)an IFTI data enrichment tool to improve the data quality in IFTI reports that are provided to the AUSTRAC CEO. The tool obtains customer data from customer source systems to enrich the customer data in outgoing IFTIs ordered by Westpac customers; and (iii)an IFTI conformance tool that is designed to assess the quality of data included in IFTI reports against the specifications in the AML/CTF Rules. The tool identifies data deficiencies at source, allowing for any remediation and for Westpac to track over time the data quality included in IFTI reports. E.7.3Origin of international funds transfers contraventions 388The actions referred to paragraph 387 above are also relevant to the contraventions of section 64 of the AML/CTF Act. E.7.4Records of origin of international funds transfers contraventions 389The contraventions described in paragraph 136 above occurred as a result of historical back-up systems that have now been replaced or as a result of configuration issues in current systems that were identified and fixed prior to the commencement of the Proceedings. 390Since 2018, Westpac has also undertaken a number of further enhancements to its AML/CTF record keeping systems, including: (a)increasing the length of time that original customer instructions are maintained in an ‘online’ state within the WIBS systems to approximately six months; and (b)improved monitoring of back-up system performance to ensure timely detection and rectification of any failures. 391Since the proceedings were filed Westpac has updated its Group Records Management Policy, which will be implemented from October 2020 under the Enterprise Records Management Program. The new Policy will more clearly define the roles and responsibilities within business units including relevant governance; E.7.5Correspondent banking due diligence contraventions

392Westpac's approach to managing the ML/TF risk posed by its correspondent banking relationships has developed in recent years, during which time it has worked constructively with AUSTRAC. 393This has included: (a)making changes to its correspondent banking due diligence processes, systems and controls to address a requirement and recommendations made by AUSTRAC in its 2012 Compliance Assessment Report into Westpac's correspondent banking controls. Those changes included: (i)addressing the recommendation by AUSTRAC that Westpac review the systems and control processes formerly used for rating correspondent banks so that that the composite findings from the Preliminary Risk Assessments and Due Diligence Assessments that were used to determine the appropriate level of risk associated with the correspondent banking relationships were accurate, and did not merely reflect the “jurisdiction” risk considerations only. That recommendation was addressed by Westpac introducing the Composite Risk Rating into its assessments; (ii)addressing the recommendation by AUSTRAC that Westpac should include a “date of completion” on all correspondent banking review documents, by adding such a “date of completion” entry into all DD Workbooks; (iii)addressing the recommendation by AUSTRAC that the date of the next review date be included on the "Dashboard" tab of the Due Diligence Assessment so that the Due Diligence Assessment review was completed in a timely manner, by more routinely completing the “next review date” field in the DD Workbooks; and (iv) addressing the recommendation by AUSTRAC that when a trigger event takes place, the applicable trigger report be included in the correspondent bank’s file, by requiring that the teams undertaking the Preliminary Risk Assessments and Due Diligence Assessments to amend the Reporting Diary, including the next due date and depth of the review, and raising a trigger report, which is saved under the country folder in Westpac’s files; (b)making changes to its correspondent banking due diligence processes, systems and controls to address further recommendations made by AUSTRAC in its 2016 Compliance Assessment Report into Westpac’s correspondent banking controls. In particular, Westpac: (i)made changes to the CB Procedures Manual to respond to AUSTRAC’s conclusion that Westpac did not demonstrate in the DD Workbook a thorough assessment of the existence and quality of any AML/CTF regulation in the correspondent bank's country of domicile or that of its parent when documenting Due Diligence Assessments; (ii)made changes to the Westpac Questionnaire to respond to AUSTRAC’s conclusion that, in the absence of a trigger report (which is created after a trigger event if the event is deemed material), Westpac did not demonstrate in its periodic review documentation the assessment of any material changes in respect of the matters reviewed in the Due Diligence Assessment;

(iii)made changes to the Dashboard in the DD Workbook to respond to AUSTRAC’s conclusion that AUSTRAC was unable to identify evidence in Westpac's Due Diligence Assessment of assessment of the nature of the correspondent bank’s ongoing business relationship with Westpac, including the types of transactions carried out as part of that relationship or any material change in the nature of this relationship. In particular, the following additional questions were added to the Dashboard (section 3.8) in the 'Business Value Check / Assessment Decision' section: (A)“[Relationship Manager] Comments: Please confirm if there has been any material change in the products and services used by the customer since last review?”; (B)“[Network Manager] Comments: Please confirm if there has been any noticeable change to the volume or value of transactions since last review?”; (iv)made changes to its CB Procedures Manual to respond to AUSTRAC’s recommendation that Westpac should enhance its oversight of correspondent banking periodic review process by providing management information to key stakeholders on any reviews not completed within the specified timeframes in the correspondent banking documentation. In particular, Westpac replaced the monthly correspondent banking stakeholders meeting with the CBDDC in July 2017, which also meets monthly and is co-chaired by the General Manager of GTS and the General Manager of CIB. The CBDDC has the following objectives: (v)monitor new and ongoing correspondent banking relationships; (A)block, terminate, decline or limit any correspondent banking relationships outside of risk appetite; (B)review overall composition of correspondent banking customers and make decisions regarding specific areas of concern; (C)monitor and make decisions in response to potential risk implications of any new or amended products, processes and controls in relation to correspondent banking; (vi)made changes recommended by AUSTRAC to Westpac’s RFO Procedures Manual for clarity and comprehensiveness so that the manual was consistent with the key policies and procedures, including the AML/CTF program and the CB Standard; (vii)made changes recommended by AUSTRAC to its CB Procedures Manual so that in its Preliminary Risk Assessments and Due Diligence Assessments Westpac document any discrepancies identified in those assessments. Those changes included updating the Dashboard template by adding sections for the RFO Senior Due Diligence Manager, Relationship Manager and Network Manager to provide commentary and implementing a process whereby where there were any discrepancies identified, the manager would resend the DD Workbook back to the analyst undertaking the assessment and highlight any issues identified for

remediation. Once remedied, the analyst would resend the DD Workbook back to their manager for review; and (viii)made changes recommended by AUSTRAC to update the CBRA Model to include, where applicable, the reasons for assessing the correspondent bank to have increased risk or adverse findings. 394Westpac has made further enhancements to its processes, systems and controls in relation to correspondent banking due diligence as part of an initiative to align itself with global best practice, reduce its number of correspondent banking relationships, and simplify the banking services and products it offers to its correspondent banks. This has included the following steps, all of which Westpac undertook or initiated prior to the commencement of these Proceedings: (a)WIB has offboarded a large number of correspondent banking relationships since July 2017 which do not meet its risk appetite or strategic or commercial objectives; and (b)Westpac introduced an updated and enhanced CB Standard, approved by the Board on 11 December 2019, with new procedures to replace the CB Procedures Manual (named the "Correspondent Banking Due Diligence Procedures" (CBDD Procedures)). (c)The changes made to the CB Standard include the following enhancements: (i)broadening the definition of a correspondent banking relationship , beyond the definition in the AML/CTF Act, such that Westpac now treats non-bank financial institutions that use correspondent banking products and domestic correspondent banking relationships as correspondent banking relationships. A non-bank financial institution is defined expansively in the CBDD Procedures as any financial institution that offers financial services but does not have a banking licence and cannot accept deposits from the public. By contrast, section 5 of the AML/CTF Act limits the definition of a correspondent banking relationship to one with the following financial institutions: an authorised deposit taking institution, a bank, a building society, a credit union or a person specified under the AML/CTF Rules; (ii)stipulating prohibited correspondent banking relationships and restricted activity through correspondent banking relationships; (iii)changing the risk rating methodology for correspondent banks so that all correspondent banks are rated as 'high' or 'very high' risk, with all 'very high' rated correspondent banks subject to an annual Preliminary Risk Assessment and Due Diligence Assessment, and 'high' rated correspondent banks subject to a Preliminary Risk Assessment and Due Diligence Assessment every two years; (iv)more clearly articulating the separate requirements in relation to conducting an initial Preliminary Risk Assessment and Due Diligence Assessment prior to onboarding and ongoing Preliminary Risk Assessments and Due Diligence Assessments throughout the correspondent banking relationship; (v)the following approval processes: (A)approval of all correspondent bank relationships is required from the General Managers of GTS and CIB, Head of Financial Crime, GTS and the WIB Financial Crime Officer; and

(B)approval of 'very high' rated correspondent banks also requires approval of the General Manager, Financial Crime. (d)The changes made to the CBDD Procedures and its related guidelines and processes include the following enhancements: (i)introducing additional identification and verification requirements to align with AUSTRAC and international regulatory guidance and global industry standards; (ii)introducing a more qualitative assessment of the overall correspondent banking relationship; (iii)redefining Westpac's risk appetite in relation to correspondent banking and ensuring that identified higher ML/TF risk indicators are considered and that the assessment of these indicators is documented more clearly; (iv)introducing site visits to, or calls with, correspondent banks to improve the depth of the assessment of the correspondent banks' AML/CTF and sanctions controls; (v)redesigning the periodic review cycles, trigger event reviews and relevant processes (including customer transactional activity reviews) to provide for regular reviews and assessments of the correspondent banking relationships based on the risks they present (including the sale of a new product); and (vi)a more robust quality checking and quality assurance process. 395Further work, also commenced prior to the commencement of these Proceedings, includes: (a)the design of additional automated transaction monitoring scenarios to identify additional ML/TF risk typologies associated with transactions made through vostro accounts, implemented in the first quarter of 2020; (b)updating guidance documents that underpin the CBDD Procedures, which was completed at the end of February 2020; and (c)a further review and reduction of the population of correspondent banks, to align Westpac with its commercial strategy and risk appetite, and to support it in its aim to enhance the quality of due diligence on its correspondent banking relationships. 396Since the commencement of these Proceedings, Westpac has: (a)reviewed the Statement of Claim to confirm whether any deficiencies have been addressed through the improvement work already undertaken or, where not, that there is an action plan to address those deficiencies or to make further enhancements; (b)commenced re-conducting Preliminary Risk Assessment and Due Diligence Assessments across the correspondent banking portfolio according to Westpac's new enhanced CB Standard and CBDD Procedures. The re-review of Bank A Parent and Banks B to P has been prioritised and completed, Westpac anticipates completing its re-review of all relevant correspondent banks by the end of March 2021; and (c)until a future date, currently anticipated to be the completion of the re-review of the relevant correspondent banks, ceased: (i)the opening of any new vostro or RMA arrangements as part of any new or existing correspondent banking relationships; and

(ii)approving new jurisdiction or currency flows for existing correspondent banking relationships; (d)updated the DD Workbooks, RFO procedures and associated documents to align with the CB Standard and CBDD Procedures; and (e)developed, processes, standard operating procedures, key performance indicators, and management information to ensure and measure adherence to Westpac's correspondent banking risk appetite and to ensure appropriate exceptions approvals, monitoring and oversight; E.7.6AML/CTF Program Risk assessments and risk-based systems and controls 397Since 2017, Westpac has undertaken a significant body of work to improve its approach to ML/TF risk assessments, including product and channel ML/TF risk assessments. Prior to the commencement of the Proceedings, the following work was completed: (a)in late 2017, Westpac developed refreshed channel and product ML/TF risk assessment methodologies. This included a new process for completing standalone channel risk assessments; and (b)starting in late 2017, divisions within Westpac were required to review and update current product and channel risk assessments under the revised ML/TF risk assessment approach to ensure consistency across the Group. 398Since the commencement of Proceedings, Westpac has been taking a number of further steps to improve its approach to assessment of ML/TF risk. Enhancements undertaken or underway include: (a)developing a new Product Risk Assessment and Channel Risk Assessment methodology and updating the Product and Project Risk Assessment tool; (b)enhancing the product and channel risk assessment questionnaires to ensure appropriate coverage of ML/TF risk attributes relevant to its products and channels (based on a review and assessment of a number of AUSTRAC papers and publications, including relevant AUSTRAC risk assessments), and to support the identification of whether products and channels will generate reporting obligations; (c)mandating an identification and assessment of key controls relied on to mitigate and manage the ML/TF risks posed by products and channels to support the derivation of a residual risk rating; (d)increasing the frequency with which product and channel risk assessments will be refreshed; (e)clarifying and refining the defined triggers for refreshing product and channel risk assessments; (f)enhancing the methodology and process for completing its enterprise-wide AML/CTF risk assessment; (g)completing the enterprise-wide AML/CTF risk assessment; (h)mandating a reassessment of all products and channels using the new methodology; and

n (i) Tra retaining Product Risk Assessments and Channel Risk Assessments in a central registry. saction monitoring 399 Prio r to the commencement of the Proceedings, Westpac has: (a) undertaken work to uplift its TMP Standard, completed in August 2018; (b) consolidated responsibility for transaction monitoring controls with the appointment of a new “Financial Crime Controls and Operations Officer” in September 2019, with an additional dedicated Executive Manager for transaction monitoring commencing in April 2020; (c) extended CSE transaction monitoring rules to non-LitePay channels; (d) developed new detection scenarios to address gaps in the monitoring of high-risk products; and (e) delivered enhancements to its sanctions, terrorism financing and politically exposed persons screening processes. (a)the establishment of a transaction monitoring governance forum to provide ongoing governance over the continued effectiveness of the transaction monitoring program (b)designing and implementing an end-to-end governance process for the transaction monitoring program, which includes key performance indicators, controls, actions and hand off points, together with a standard operating model for the transaction monitoring program; (c)conducting a detailed review of AUSTRAC publications and guidance against existing detection scenarios to determine the adequacy of current scenarios and enhancing detection scenarios where required; (d)implementing an end-to-end process to interpret, embed and address AUSTRAC AML/CTF guidance; (e)conducting a further review of the detection scenarios for a number of existing products and services that pose higher ML/TF risks to identify whether any enhancements are required; (f)assessing whether appropriate detection monitoring scenarios are in place to identify transactions and customers that are outside of Westpac's risk appetite; and (g)reviewing whether remaining non-SWIFT payment channels require further transaction monitoring or sanctions screening. 401With respect to child exploitation risk specifically, Westpac has: (a)extended its automated detection monitoring scenarios for child exploitation risk to SWIFT channel payments to a broader range of jurisdictions; (b)amended its procedures so that where Westpac identifies a transaction that it determines it has a reasonable basis to believe is suspicious in relation to potential CEM activity, an SMR must be lodged with the AUSTRAC CEO within 24 hours (rather than 72 hours, as required under section 41 of the AML/CTF Act); and

(c)made amendments to, and supplemented, its detection monitoring scenarios for CEM risk to address newly published AUSTRAC and other guidance. 402In relation to vostro account transaction monitoring, Westpac implemented additional detection monitoring over vostro accounts at the end of February 2020, as described in paragraph 395(a). It is conducting a further review of these scenarios to identify whether any further enhancements could be made to the existing detection monitoring. IFTI reporting 403In addition to the steps outlined above in E.7.2, on 1 May 2019, Westpac updated the Regulatory Reporting Standard to include a requirement that the Divisions must ensure and be satisfied that there were processes and procedures in place (at a Group and/or Divisional level) to ensure that all transactions facilitated by their Division, which meet the definition of an IFTI were reported to AUSTRAC within the specified timeframes. This included a requirement that there were controls in place to periodically reconcile the number of IFTIs received and sent against the number of IFTI reports submitted to the AUSTRAC CEO. E.7.7Ongoing customer due diligence contraventions 404Westpac has: (a)terminated the transactional accounts of each of Customers 1-12 and placed a block on certain products which Westpac cannot immediately exit, such as credit cards or home loans with existing amounts owed to Westpac, or insurance products. Under these products, the only transactions the customers can enter into are to repay amounts owed to Westpac. Once the amount owed to Westpac has been repaid or the product term expires, the account or product will be terminated; (b)since the commencement of the Proceedings, made a number of improvements to its enhanced customer due diligence process in relation to customers who have been identified in SMRs filed with AUSTRAC in relation to CEM risk. Those improvements include: (i)reducing the maximum time for exit decisions to be reached and implemented in relation to customers in relation to whom an SMR has been filed in relation to CEM risk; (ii)blocking certain payments for customers the subject of an exit decision in relation to CEM risk in the period between an SMR being filed and the customer account being closed; and (iii)conducting additional training for relevant staff in relation to identifying and monitoring for CEM risk. 405Westpac is also in the process of making enhancements to its ECDD processes.

Date: 24 September 2019 ……………………………………….. Sonja Marsic AGS Lawyer For an on behalf of Australian Government Solicitor Lawyer for the Applicant ………………………………………. Peter Haig Solicitor for the Respondent

Annexure B page 84

page 85

Annexure C page 86

page 87

page 88

page 89

page 90

page 91

page 92

page 93