Westpac processed 23 million transactions that violated anti-money laundering law. Among them: payments to the Philippines and Southeast Asia matching patterns used to pay for child exploitation. Westpac's LitePay product made it easy — low-value transfers, minimal monitoring, no questions asked. The fine was $1.3 billion. The largest in Australian history. AUSTRAC CEO Nicole Rose didn't call it "a few issues." Westpac's CEO did. Westpac CEO Brian Hartzer learned his bank had facilitated payments linked to child exploitation in the Philippines. He told staff it was "a few issues." He compared the scandal to a "different molehill." Twenty-three million legal violations. Children exploited. And the CEO of Australia's oldest bank couldn't find the gravity in it. Hartzer resigned, forfeiting $2.6 million in bonuses. The children forfeited more.
What they claim: Westpac states it collects personal information only "for the purpose of providing banking services."
What we found: The Westpac app collects precise location, device identifiers, biometric data, and detailed transaction analytics. Data is shared with "service providers and partners" including analytics firms. Westpac's DataX program explored monetising anonymised transaction data — selling aggregate spending patterns to merchants and marketers. Customer insights are shared through payment platform partnerships. Banking services now include being the product.
What they claim: Westpac says customer data is used to "improve services and customer experience."
What we found: Westpac's DataX initiative explored selling anonymised transaction data to third parties — providing merchants and marketers with aggregate spending patterns, consumer trends, and location-based insights derived from banking transactions. The program would turn Westpac from a bank into a data broker, monetising the spending habits of 13 million customers. "Improving customer experience" by selling the customer.
What they claim: Westpac states it "takes its obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act seriously" and maintains "robust compliance frameworks."
What we found: AUSTRAC fined Westpac $1.3 billion in September 2020 for 23 million contraventions of AML/CTF laws — the largest fine in Australian corporate history. AUSTRAC found Westpac failed to adequately monitor transactions to the Philippines and Southeast Asia that were consistent with patterns used to pay for child exploitation material. Westpac's LitePay product enabled low-value international transfers with virtually no monitoring. The bank processed the payments. The children had no compliance framework.
What they claim: Westpac marketed itself as "Australia's first bank" with a 200-year heritage of trust and responsibility to the Australian community.
What we found: When AUSTRAC filed proceedings alleging Westpac facilitated child exploitation payments, CEO Brian Hartzer told staff it was just "a few issues." He reportedly compared the scandal to a "different molehill." Hartzer resigned November 2019 under board pressure, forfeiting approximately $2.6 million in bonuses. Chairman Lindsay Maxsted stepped down early. The board approved a 13% pay cut for remaining executives. Twenty-three million violations. Child exploitation. "A few issues."
What they claim: Westpac claims to support customers through difficult times, with its Banking Code of Practice committing to assist customers experiencing financial hardship.
What we found: The Federal Court fined Westpac $26 million in May 2026 for failing to respond to more than 200 online hardship requests over six years (2017--2023). Customers facing domestic abuse, natural disasters, serious illness, and job loss asked Westpac for breathing room on mortgages, credit cards, and personal loans. Some waited weeks beyond the legal deadline. Others never received a response at all. While they waited, Westpac recorded adverse credit information on their files and sold their debts to third-party collectors who actively pursued them. Justice Timothy McEvoy called the conduct "grossly negligent" and said the harm to these vulnerable customers "cannot be overstated." Westpac argued it should pay only $10 million. The judge called that amount "little more than derisory in the circumstances and therefore wholly inappropriate." ASIC deputy chair Sarah Court said: "Westpac failed the very customers who needed help when they needed it most. Instead of providing a safety net, Westpac's systemic failures let them slip through the cracks."
What they claim: Westpac states it uses "advanced security measures" to protect customer data and accounts.
What we found: In 2019, researchers found Westpac subsidiary's PayID lookup system could be queried with random phone numbers to retrieve customer names attached to bank accounts. Approximately 100,000 customer records were exposed. Attackers could build a database linking phone numbers to real names and bank account details. Westpac took days to patch the vulnerability after initial reports. Security researchers had to go public before Westpac acted.
What they claim: Westpac claims to lend "responsibly" and assess each customer's ability to repay before approving a home loan.
What we found: ASIC took Westpac to court for approving approximately 260,000 home loans using the Household Expenditure Measure (HEM) benchmark instead of customers' actual living expenses. HEM assumed customers spent far less than they actually did, inflating borrowing capacity. Westpac approved mortgages people couldn't afford based on fictional expense estimates. The case went to the High Court. ASIC lost on a technicality — but 260,000 Australians got mortgages assessed on imaginary budgets.
What they claim: Westpac claims to "support all Australians" and operate with "community responsibility."
What we found: The Hayne Royal Commission found Westpac subsidiary BT Financial Group sold junk funeral insurance through the banking platform, including to Indigenous Australians who couldn't afford the premiums and would never benefit from the policies. Commissioner Hayne specifically called the conduct "dishonest." The policies were designed to lapse before they could pay out — the bank collected premiums knowing the product was worthless to the people buying it.
What they claim: Westpac committed to "making things right" for customers affected by misconduct identified in the Royal Commission.
What we found: ASIC Report 738 (2023) found banks including Westpac took an average of 3.6 years to complete customer remediation programs. By 2023, Westpac was still processing refunds for conduct identified in the 2018 Royal Commission. Some customers waited five years to receive money Westpac admitted it owed them. Customers who died during the wait had claims transferred to their estates. "Making things right" — eventually, if you live long enough.