By Professor Mak Yuen Teen
CBA is a multinational financial group that provides integrated financial services such as retail banking, business and private banking, institutional banking and markets, and wealth management to its customers. Founded in Australia in 1911, the bank has established its longstanding position as one of the pillars of the Australian financial industry. In 2015, CBA was ranked at the top of the Australian Securities Exchange (ASX) market capitalisation report. The group has grown its operations both locally and globally through a wide network of branches, subsidiaries, and associates such as Bankwest, Colonial First State Investments, ASB Bank, and Commonwealth Securities.
The Landmark Case
On 3 August 2017, AUSTRAC initiated civil proceedings against CBA in the Australian federal courts for severe breaches of the Australian Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (the AML/CTF Act) between November 2012 and September 2015. This was a landmark case that caused a ripple of shock for observers as each instance of breach in the Act carried a maximum penalty of A$18 million. The maximum fine of nearly A$1 trillion dwarfed the entire bank’s market value. After news of the legal proceedings emerged, CBA’s share value fell by 3.9% the following day.
Four syndicates, of which three were linked to drug dealing and distribution, were discovered to have carried out money-laundering activities using the bank’s fleet of IDMs – a smart ATM that could process cheques and cash deposits instantly – making the funds immediately available for transfer. The drug syndicates made deposits into several separate accounts under fake names, ensuring that each deposit was under A$10,000 – a limit that legally required CBA to report the transaction to AUSTRAC. The syndicates transferred the money out to overseas accounts thereafter. CBA had allowed such transfers exceeding A$75 million to remain undetected for over two years.
Attack from All Sides
After the first civil proceeding was initiated by AUSTRAC, more parties started to hop on the bandwagon, adding to the bank’s headache. Other regulators such as the Australian Securities and Investment Commission (ASIC) also began to announce that they were starting their own investigations into CBA. Members of the Australian Senate also called for a royal commission in parliament to investigate the breaches.
The Australian Prudential Regulation Authority (APRA) also announced that it would initiate an independent public inquiry against CBA, focusing on whether the bank deliberately overrode its controls and safeguards in pursuit of higher potential profits. Such an action was unprecedented as APRA had normally operated ‘behind the scenes’, and the overt action was interpreted as a symbolic move that government regulators were adamant in making changes to the bank’s leadership.
The Intelligent Laundromats
Problems started back in 2012 when CBA introduced its IDMs into the market. The IDMs provided its customers with another integrated financial service. The introduction of IDMs saw an increase in transactions and savings. Competition in both domestic and global markets remained stiff with other competitors launching new innovative products and services. Therefore, to place itself ahead of its competition and to prepare for potential stagnant economic growth, CBA offered consumers an option of using IDMs in the hope that this would it bring the bank to the forefront of financial technological advancement.
What made the IDM seem like a superior service was that individuals, regardless of whether they were personally CBA customers, could deposit either cheques or cash into CBA accounts without a limit on the number of transactions. This strategy helped attract more customers to CBA, especially small and medium enterprises, which were heavily reliant on cash. These small and medium enterprises could also now bypass certain stringent restrictions in place when making large transactions. Furthermore, the technologically advanced and fast IDMs would ameliorate the large salary expenses that CBA incurred for bank tellers and front desk personnel, significantly reducing the bank’s operating expenses.
Without a limit on the number of transactions per day, large transactions could take place daily without any restrictions imposed by the IDMs. However, due to control oversight, the IDMs failed to capture unusually large transactions. This violated the compliance regulations imposed by the Australian authorities. The AML/CTF Act prescribed that any transactions exceeding the threshold value of A$10,000 had to be reported in Threshold Transaction Reports (TTRs) to AUSTRAC within 10 business days. In addition, as the machine could be used by anyone – including non-CBA customers – anonymous deposits were permitted.
In fact, the IDM platform was not a unique technological innovation exclusive to CBA. Westpac Banking Corporation (Westpac), another Australian bank, had also conducted a trial using IDMs. However, Westpac concluded in its trials that the risk of such machines being utilised by criminal gangs for money laundering purposes were too high, and ultimately chose to not proceed with the roll out of IDMs for public use. However, CBA decided to install more than 805 IDMs country-wide by May 2017.
The launch of CBA’s IDMs with weak controls came as pleasant news to two members of a methamphetamine manufacturing and trafficking ring based in Sydney, Australia – Yuen Hong Fung and Kha Weng Foong. Fung and Foong began laundering more than A$650,000 a day through CBA’s IDMs from late 2014 to August 2015. An estimated total of A$20.6 million was deposited through IDMs into CBA accounts, and all of it was transferred offshore.
This was not the first time that Foong had used his expertise in fabricating false identification cards. In 2009, he was involved in producing fake credit cards that enabled him to misappropriate almost A$7 million from retailers in Australia. Foong’s expertise was just what Fung, who wanted to launder money made from methamphetamine sales to Hong Kong, needed. In 2014, Foong helped Fung to create false CBA accounts using fake driving licenses. Foong went by many names, such as Ronald Brown, Luke Shaw, and Richard Whippy. However, had CBA’s staff looked closer, they would have noticed that all the fabricated licenses used the same picture of Foong.
Fung used a number of IDMs throughout Sydney and ensured that the amounts deposited were under A$10,000 for each transaction. CBA had identified consistent, suspicious patterns of cash deposits in 16 of these accounts by April 2015. Despite this, the bank did not follow up on its findings, and allowed an estimated A$9.1 million to be transferred to Hong Kong between April and July 2015.
The Lone Hero
On the morning of 28 May 2015, the manager at CBA’s Leichhardt branch received an error message from one of the branch’s IDMs, indicating that the machine was full. As this was an unusual occurrence, he was prompted to investigate further. He found that multiple deposits of about A$50,000 each were made to two accounts that morning. Upon further investigation, it was discovered that over the past month, both accounts had received deposits of at least A$1 million each which were then almost immediately transferred offshore. Fung had deposited A$457,980 that day as he went around using IDMs located in different locations. The problem at Leichhardt meant he had to go to Ashfield to deposit the remaining amount.
A month later, on 30 June 2015, the Leichhardt branch manager approached Fung while he was doing his usual deposit run, which disrupted his actions. Fung simply moved to another location to carry on his business. That same night, CBA blocked 19 of Foong’s accounts at the request of the Australian Federal Police (AFP). By this time, the bank had identified that the false accounts were opened by foreign nationals on holiday visas. The money laundering was therefore put to a stop for five days. However, it resumed later with 11 new accounts. These accounts utilised the same modus operandi previously identified by CBA. They fell through the cracks as there was a lack of subsequent follow-up monitoring for money laundering and terrorism financing risks.
Foong and Fung were eventually arrested on the morning of 24 August 2015 at CBA’s Eastgardens Branch for dealing with the proceeds of crime and structuring offences. Meanwhile, AUSTRAC alleged that CBA had failed to report 60 TTRs related to transactions by Fung and suspicious activities relating to Fung on 92 separate occasions.
A Lack of Follow Up
Foong and Fung were not the only criminals making use of CBA’s IDMs to launder money. Between June 2014 and May 2016, three other money laundering syndicates making use of CBA accounts were identified. These three syndicates adopted similar practices of executing financial transactions in a specific pattern. Large amounts of cash were deposited into multiple CBA accounts through IDMs. Almost immediately after each deposit was made, the money would be transferred to either other domestic accounts or offshore bank accounts. These deposits were the proceeds made from drug manufacturing and trafficking carried out by the syndicates.
In all three situations, CBA was aware of the unusual patterns of these transactions and identified the suspicious accounts, a few months after the money laundering activities started. For one of the syndicates, CBA had even identified evidence of structuring, and concluded that some of the accounts belonged to suspicious money remitters that were potentially part of a money laundering syndicate. However, CBA did not continue to monitor these customers and accounts and continued to allow these highly suspicious individuals to deposit cash and make transactions for their accounts. Despite the large and structured cash deposits made, several transactions for these accounts did not trigger transaction monitoring alerts for structuring. Although alerts were raised in the remainder of these instances, CBA failed to review them in a timely manner and did not submit timely Suspicious Matter Reports (SMRs), as required legally by the AML/CTF Act.
In late 2015, the AFP advised CBA that several of the accounts related to one of these syndicates were involved in an investigation into serious criminal offences including drug importation and unlawful processing of money. However, even after the warnings were issued, CBA did not close several of these accounts and allowed more transactions to occur.
Regulators Given the Run-Around
It was clear as day that CBA had failed to manage its regulatory compliance obligations adequately. Within the three-year period from November 2012 to September 2015, CBA did not submit 53,506 TTRs on time, totalling A$624.7 million. Even when the amounts transacted were less than A$10,000, CBA had a legal obligation to file SMRs to AUSTRAC when it identified suspicious patterns of activity. Such patterns might include customers who deposit amounts just under the threshold transaction limit to avoid detection. However, CBA adopted an internal policy where SMRs would not be submitted if suspicious matter of the same nature had already been reported in the previous three months. Between August 2012 and June 2017, there were 69 cases identified where CBA failed to submit SMRs related to possible money laundering crimes on a timely basis, even after receiving requests from law enforcement for account details to assist in their criminal investigations.
In many other cases, SMRs were not submitted due to a lack of transaction monitoring alerts raised or reviewed. For the incidents where alerts were raised and reviewed, CBA’s submissions were usually incomplete.
Risk Assessment Falls Short
Before the introduction of IDMs into the mass market, CBA did not perform risk assessments for anti-money laundering and counter-terrorism financing risks. Such risk assessments were required under the AML/CTF Act in Australia. As a result, there was a lack of adequate risk-based systems and controls to manage these risks.
After the IDM launch, CBA did not carry out the necessary risk assessments from 2012 to mid2015 even when there was an exponential increase in the amount of cash deposited during this period. An estimated A$8.9 billion in cash was deposited through CBA’s IDMs before it performed the risk assessment required. CBA had also failed to comply with its transaction monitoring program for 778,370 accounts from the launch date to September 2016.
Around July 2015, CBA’s intelligence analysis had obtained evidence that criminal syndicates were laundering several millions of dollars through its IDMs. Following that, CBA contacted the serious organised crime units of the AFP, New South Wales (NSW) police, and Western Australian police regarding the said money laundering activity. However, once again, CBA failed to follow its own anti-money laundering procedures and no new risk controls were introduced to tackle the problems that surfaced.
One year later in July 2016, CBA evaluated that the IDMs had a high inherent money laundering risk but once again, it concluded that the residual risk was low. Hence, no action was taken to address the high inherent risk.
Mismanagement of Operational Risk
CBA had the legal obligation to continually monitor its customers so that the risk of money laundering and terrorism financing could be managed and reduced. Once suspicious transactions have been identified, CBA must carry out enhanced customer due diligence (ECDD), as required by the AML/CTF Act. This may include ascertaining the source of the customer’s wealth or terminating their accounts.
However, when dealing with suspicious customers, CBA was slow to decide on whether to cease doing business with these customers. They gave the criminal syndicates 30 days’ notice before suspending their accounts and in 20 of these cases, AUSTRAC noted that the money laundering offences continued during the notice period given. CBA did not put in place any additional checks on these transactions and was unable to address the problem properly.
By December 2017, CBA had filed its response to the legal suit filed by AUSTRAC. The bank only admitted to 91 allegations, challenging the remaining hundred or so claims made by AUSTRAC. The agency responded by increasing the scope of its claims and charged the bank with 100 additional new claims of breaches of the AML/CTF Act.
CBA responded by denying a further 89 of these claims. A deadlock between CBA and AUSTRAC ensued, with both parties increasing their accusations and claims over the scandal. On 22 March 2018, the courts ordered mediation between the two parties.
Missing from the Equation: Accountability
The bank identified ‘accountability’ as one of its five core values in its 2014 Shareholder Review. However, accountability appears to be lacking in CBA’s corporate culture.
APRA released the CBA prudential inquiry final report on 30 April 2018. The report noted that CBA’s culture had a lack of clear accountability, and hence it was difficult to identify who was accountable when problems arise. A lack of collective accountability by senior leadership was one of the main factors identified by the regulator that led to CBA’s ineffective management of its regulatory compliance obligations, leading to the money laundering scandal.
APRA had also assessed the internal practices of CBA through interviews and focus group discussions with employees from various levels. The company’s culture was characterised as lax, complacent, and reactive based on the findings. The report highlighted that CBA employees tended to adopt a sense of helplessness because of the large size of the company and the complexity of issues. The employees of the bank attributed the problems faced by the bank to external factors such as the highly volatile nature of the financial markets, rather than internal failures. Employees were found to have a “check-box” mentality whereby they would just carry out the processes assigned to them and nothing more due to their lack of understanding of the rationale behind decisions made.
Who is to Blame?
CBA’s first response to the AUSTRAC accusations was to downplay the severity of its error. It claimed that due to technicalities of the law, the 53,700 breaches alleged by AUSTRAC may only be considered as just one breach as all the breaches were caused by a software update error. The software update error had caused the IDMs to malfunction and stopped the generation of TTRs required for all transactions above A$10,000. CBA’s Chief Executive Officer (CEO) Ian Narev claimed CBA only discovered the error three years later in 2015 and had taken steps to notify AUSTRAC and provided a fix for the machines within a month.
Suspicions related to illegal activities had already been raised within the bank since 2014. These red flags should have prompted the company to file reports regarding their IDMs being used for illegal activities to AUSTRAC within three business days under the AML/CTF Act. However, CBA did not do so for many transactions.
According to a report by AUSTRAC, “Had [CBA] introduced daily limits earlier it would have disrupted money laundering activity through IDMs by syndicates involved in the importation and distribution of drugs including methamphetamine.”
Sign of Repentance
Under immense public pressure, the board of CBA announced in August 2017 that it would cut all short-term incentive bonuses for its top management, as well as reduce the director fees of its board members by 20% for the year. In addition, CBA announced that its CEO would be leaving the bank by the end of the 2018 financial year.
Following the additional pressure from legal actions being taken against the bank, as well as the fall in its share price, Catherine Livingstone, the Chairman of the board, announced a board restructuring plan, with three directors being replaced. She also announced that the bank intends to establish a director subcommittee to oversee the investigations and responses relating to the scandal.
Analysts estimated that the increase in operating costs arising from legal fees to defend itself against lawsuits would amount to A$200 million over the following two years. In addition, it was estimated that CBA would have to incur a A$2.5 billion fine as a result of its breaches.
Subsequently, CBA announced that Narev would not be eligible to cash in his long-term bonus shares for the year. In an investor conference, Narev apologised for the scandal and took responsibility for it. Livingstone also apologised for the scandal during the shareholders meeting. In addition, it was announced that two more board directors would leave by the end of 2018.
Director Asleep at the Wheel?
CBA’s board of directors also came under the spotlight when consumer advocates claimed that the “long-serving Commonwealth Bank board members had been asleep at the wheel”, leading to the bank’s long string of scandals since 2009 that included the bribery of CBA’s executives in relation to the award of business contracts, provision of shoddy financial planning advice, and the “fees for no service” scandal.
The board was originally made up of 10 directors, out of which eight were independent nonexecutive directors. The Chairman of the Risk Committee, Shirish Apte, did not reside in Australia, where the CBA headquarters are located. Instead, he lived in Singapore, where he was employed.
APRA’s final report on CBA’s prudential inquiry had found that there was a culture of complacency, dismissiveness toward government regulations, and a general lack of accountability and oversight of the risks by CBA’s key management and senior executives. The regulator found that the board had placed high trust and confidence in the bank’s management due to their continual financial success. The board also believed that CBA, being one of the four largest banks in Australia, was conservative and had a culture of prioritising their customers’ interest. This led the board to let its guard down.
APRA noted that these factors resulted in the board being complacent and less attentive to signals that may have alerted it to the risks introduced by the IDMs and the money laundering scandal. The report also said that the board and its committees were often slow in dealing with non-financial risks, which may have communicated a tone of inaction to the rest of organisation. The inquiry found that the board was not sufficiently rigorous in ensuring that management mitigated high risk areas.
The Beginning of the End
In early April 2018, Narev stepped down as CEO of CBA with A$12 million worth of shares as a parting gift. He was replaced by Matt Comyn, the head of CBA’s retail bank since 2012. Two months later, CBA and AUSTRAC reached a settlement agreement. As part of the settlement, CBA would pay a record A$700 million fine to settle the claims of money laundering and terror financing breaches. The bank admitted to failure in the late or non-filing of more than 53,700 reports to AUSTRAC for cash deposits over A$10,000 and 149 suspicious matter reports. CBA claimed that it had improved its internal controls and systems since then.
Epilogue: Hayne’s Call for Change
The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry was tasked with investigating if Australia’s banks have engaged in misconduct, and whether adequate controls were put in place. The one-thousand-page report by Commissioner Hayne, which was released in February 2019, contained 76 recommendations. Among the recommendations, financial regulators are to impose criminal charges against entities associated with the “fees for no service” scandal. The royal commission also recommended the retention of the “twin peaks model” for financial regulation, but with a clearer segregation of roles. APRA continued to retain its role in regulation, and ASIC would oversee conduct and disclosure. ASIC was also urged to commence legal proceedings when dealing with large corporations in the event of law breaches, instead of merely issuing infringement notices, which should only be used for administrative matters. In addition, APRA and ASIC should also be more stringently monitored by an independently chaired regulator-oversight body, to ensure the accountability of regulators by conducting regular reviews.
Following the royal commission’s calls for further investigations by the regulators into CBA’s failings, CEO Comyn addressed past lapses and pledged to improve its compliance and risk functions.
Commissioner Hayne highlighted that the Australia’s financial institutions must change their culture and conduct. The CBA scandal involving money laundering and terror financing breaches was arguably one of the largest scandals in recent years. However, other misconduct such as deceased customers being charged fees and unqualified customers being sold insurance, was also uncovered. The Hayne report is a wakeup call to the financial industry in Australia.
- Describe the deficiencies in oversight and accountability within CBA that contributed to the failure. Should the CEO, Ian Narev, be held responsible for a technical operational error? Suggest potential improvements.
- Discuss how the culture at CBA contributed to the lapses in risk management. Suggest improvements to be made.
- Comment on the actions taken by CBA following the discovery of the vulnerabilities. Was there more that the company could have done?
- Evaluate if the penalty imposed by the courts was fair to CBA’s stakeholders. Should the board of directors have been held responsible for the breaches?
- In light of the recent wave of technological integration within the banking and finance industry, discuss its impact and how the risks can be managed.