Lessons from the CBA money-laundering scandal
15 Sep 2017|

The recent Commonwealth Bank money-laundering and terrorism-financing scandal provides a couple of important lessons. It highlights the vital role that the private sector plays in fighting crime and terrorism and protecting national security, and it provides a lesson to businesses about the serious consequences of not fulfilling their anti-money-laundering and counter-terrorism-financing (AML/CTF) obligations.

AUSTRAC’s allegations are about as bad as it gets, short of wilful breaches or actual collusion in the alleged crimes. In May 2012, CBA rolled out intelligent deposit machines (IDMs)—ATMs that accept cash deposits of up to $20,000 with no daily limit on the number of transactions a customer can make.

Australia’s AML/CTF laws require regulated entities to report cash deposits of $10,000 or more to AUSTRAC—Australia’s financial intelligence unit and AML/CTF regulator. These reports, known as threshold transaction reports or TTRs, require entities to provide details of the customer, the institution and the transaction. However, for almost three years, CBA failed to report 53,506 cash deposits of $10,000 or more through its IDMs to AUSTRAC.

Furthermore, CBA’s machines allowed anonymous cash deposits. If a customer used a non-CBA card to deposit funds, the IDM didn’t record any information about the card owner making the transaction.

Unsurprisingly, the IDMs were a magnet for criminals and potentially for terrorism financers. AUSTRAC alleges that at least four organised crime syndicates used CBA IDMs to launder at least $75 million of mainly drug money within two years. And CBA itself held concerns that further transactions related to customers who posed a risk of terrorism or terrorism financing.

The number and combined value of suspicious transactions were large, and the criminal syndicates used well-known money-laundering techniques: structuring and ‘cuckoo smurfing’. Yet, AUSTRAC alleges that CBA failed to report many of those suspicious matters to AUSTRAC on time, if at all.

CBA chief executive Ian Narev blamed the problem on a single coding error. However, that doesn’t explain AUSTRAC’s other allegations. They include CBA’s failure to undertake a risk assessment until three years after the IDMs were introduced, its failure to monitor and undertake enhanced due diligence on high-risk customers, its inadequate transaction monitoring, and its failure to lodge suspicious matter reports in some cases. And Narev hasn’t explained the slow and inadequate response when law enforcement and his own staff raised concerns.

These breaches suggest some bigger problems. Clearly, there’s been a breakdown of internal systems. The coding error should have been picked up during testing before implementation.

The other failures are basic legal requirements that the bank would be well aware of from other parts of its operations. Were the bank’s AML/CTF experts engaged when the IDM functions were designed and before they were rolled out? The slow response to alerts and law enforcement information suggests insufficient staffing. And CBA’s culture has come into question following a number of other scandals. What role did culture play in this failure?

Businesses’ AML/CTF obligations are important. The private sector plays a vital frontline role in the fight against criminality and terrorism, preventing criminal funds entering the financial system, minimising the funds available to terrorists and providing crucial intelligence. These breaches bring into clear focus just how important that role is.

As AUSTRAC noted, CBA’s conduct has delayed and hindered law enforcement efforts through lost intelligence and evidence, enabled further money laundering and caused the loss of proceeds of crime. This has ‘exposed the Australian community to serious and ongoing financial crime’.

CBA now faces enormous financial penalties, further regulatory scrutiny here and overseas, increased business costs from remediation work, a falling share price, a possible shareholder class action, reputational damage, the premature departure of its CEO, and the increased chance of a banking royal commission.

The fallout for CBA is a good lesson to all company boards and senior executives. Your company plays an important role in preventing crime and terrorism and protecting national security. The community finds it unacceptable if you don’t play your part.


Correction: an earlier version of this post incorrectly attributed authorship to Andrew Davies. The error was caused by an oversight in uploading.