Commonwealth Bank: Buggy software made us miss money laundering
Mandatory reports stopped flowing, suits don't notice for 3 YEARS... but bank throws devs under bus
Australia's Commonwealth Bank has blamed a software update for a money laundering scam that saw criminals send over AU$70m (US$55m, £42.5m) offshore after depositing cash into automatic teller machines.
News of the Bank's involvement in the laundering scam broke last week, when Australia's financial intelligence agency AUSTRAC announced that it had found over 53,500 occasions on which the Bank failed to submit reports on transactions over $10,000. All transactions of that value are reportable in Australia, as part of efforts to crimp the black economy, crime and funding of terrorism.
The news was not a good look for the Bank (CBA), because most of the cash was deposited into accounts established with fake drivers licences.
Worse still is that each failure of this type can attract a fine of AU$18m, leaving CBA open to a sanction that would kill it off.
Today the bank has explained the reason for its failure: “a coding error” that saw the ATMs fail to create reports of $10,000+ transactions. The error was introduced in a May 2012 update designed to address other matters, but not repaired until September 2015.
CBA's statement does not, however, address why it didn't notice a drop in the number of reports flowing from its ATMs. Nor does it address AUSTRAC's allegation that “Even after CBA became aware of suspected money laundering or structuring on CBA accounts, it did not monitor its customers to mitigate and manage money laundering/terrorism financing risk, including the ongoing money laundering/terrorism financing risks of doing business with those customers.”
All we get is the following:
In an organisation as large as Commonwealth Bank, mistakes can be made. We know that because we are a big organisation, these mistakes can have significant impact.
The Bank says it has “increased our investment in people, technology and processes through a program designed not only to address existing weaknesses, but also to meet the growing complexity in this area.”
CBA has issued similar mea culpas after other recent fails, including sales of insurance policies that covered almost nothing and predatory financial advisors who lined their own pockets by dishing out poor advice to investors. The Bank was also at the centre of the bribery allegations made against CSC subsidiary ServiceMesh. This latest mess has markets questioning whether CBA's CEO's can survive, and wondering what will happen if fines get anywhere near the $954,000,000,000 total that the law allows in this case. ®
Sponsored: Becoming a Pragmatic Security Leader