A corporation, even a group of corporations, is a pyramid. The fundamental question is whether it should be or whether we have reached, in relation to compliance and risk management, the stage where no one person can be expected to be on top of all aspects. Given that the chairman of a board is supposed to be supervisory over all aspects of the business but not engaged in day to day operations (in the Westpac case the Chairman, Lindsay Maxsted, is also going ) and the CEO is expected to execute, by delegation, the decisions of the board, the pyramid creates a focal point. Perhaps the remedy is to create personal responsibility in the hands of individual directors, to make them, in effect, the CEOs of their own divisions. Yet that is an approach which would bring its own problems.

The WestPac case is not unusual although the scale is. It is now about two weeks since AUSTRAC, the Australian FIU, announced that it had applied to the Federal Court for a civil penalty order against Westpac Banking Corporation (see media statement: https://www.austrac.gov.au/abo... ). AUSTRAC was blunt: the applications "relate to systemic non-compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). AUSTRAC alleges Westpac contravened the AML/CTF Act on over 23 million occasions."

The precise failures, insofar as they are presently known, are relevant but not the point of this article: here we are concerned with the fundamental question as to while there is no doubt that ultimate responsibility lies with a CEO, should he be solely responsible? As to the failures in this case, it's simply noted that it is reported that the problem apparently arose with a software modification in 2011 in which a vital reporting flag was not set and, as a result, for some years, transactions that were obviously reportable were not reported. That is compounded by the fact that, for several years, no one noticed and when, eventually, someone new to the company reportedly did, she was allegedly sidelined and kept out of vital meetings.

It appears that the corporate world and its regulators are stuck in a mind-set that is more relevant to single-owner, single-purpose businesses. Under this model, there is one person who has considerable direct contact with all the business' operations. But this is a fiction: even in small businesses there are areas of business which the boss delegates to specialists and must rely on them to do their jobs. It is essential that the boss sets the culture for the firm and he may review and sign-off on processes manuals, for example, but he cannot be expected to inspect every aspect of every employee's work. That is not to say that he should not understand and supervise: when I was in private practice as a solicitor, one of the basic things I told business clients was "if you don't understand the business, don't do the business."

The financial services sector is moving inexorably (and I would argue rightly) towards personal responsibility and general corporate regulation is going in the same direction. It is clear that the time has come to look at where responsibility should lie. In order to do that, first we have to consider that there are several conflicts inherent in any review.